Hello Blake,
so here the patch based on 8.2.
But first make sure that you apply the maintenance by doing this:
/usr/local/pf/addons/pf-maint.pl
then save the file on the server (in /usr/local/pf) then do:
cd /usr/local/pf
patch -p1 --dry-run < 3967_8.2.diff
is there is no error:
patch -p1 < 3967_8.2.diff
Regards
Fabrice
Le 19-02-14 à 22 h 36, William Blake MacIsaac via PacketFence-users a
écrit :
Hello Fabrice,
I'm running 8.2.0
Thanks
Blake
On Thu, Feb 14, 2019, 7:27 PM Durand fabrice via PacketFence-users
<[email protected]
<mailto:[email protected]> wrote:
Hello William,
what packetfence version are you running ?
I will make a patch that apply on your version.
Regards
Fabrice
Le 19-02-14 à 12 h 03, William Blake MacIsaac via
PacketFence-users a écrit :
Hello Fabrice,
Thank you very much for the response.
This is the error i get when i attempt to run that command;
[root@PacketFence pf]# curl
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3967.diff|
<https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3967.diff%7C>
patch -p1
% Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent
Left Speed
100 5708 0 5708 0 0 7087 0 --:--:-- --:--:--
--:--:-- 7081
patching file conf/profiles.conf.defaults
Hunk #1 FAILED at 32.
1 out of 1 hunk FAILED -- saving rejects to file
conf/profiles.conf.defaults.rej
can't find file to patch at input line 14
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git
a/docs/api/spec/components/schemas/configconnectionprofile.yaml
b/docs/api/spec/components/schemas/configconnectionprofile.yaml
|index 7dbe71a1134..48aae9bcc1c 100644
|--- a/docs/api/spec/components/schemas/configconnectionprofile.yaml
|+++ b/docs/api/spec/components/schemas/configconnectionprofile.yaml
--------------------------
File to patch:
On Wed, Feb 13, 2019 at 6:28 PM Durand fabrice via
PacketFence-users <[email protected]
<mailto:[email protected]>> wrote:
Hello William,
can you try that:
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3967.diff
cd /usr/local/pf
curl
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3967.diff|
<https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3967.diff%7C>
patch -p1 --dry-run
if there is no error
curl
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3967.diff|
<https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3967.diff%7C>
patch -p1
restart packetfence and in the connection profile
802.1X-Profile and check: dot1x_unset_on_unmatch
And retry.
let me know if it help
Regards
Fabrice
Le 19-02-13 à 17 h 43, William Blake MacIsaac via
PacketFence-users a écrit :
I'm hoping someone can help me. I'm trying to setup
802.1x-Wireless to allow users to connect to a SSID
utilizing domain credentials. The problem is, when users
connect and enter there username and password, they are not
being tested against the Authentication sources i have
setup, they are just being allowed to connect, regardless if
they are part of the group or not. I can even delete the
whole authentication source and they are still being
authenticated.. what the hell? :(, please help
image.png
:19:39 PacketFence packetfence_httpd.aaa: httpd.aaa(8345)
INFO: [mac:8c:f5:a3:a2:d4:18] handling radius autz request:
from switch_ip => (10.100.2.254), connection_type =>
Wireless-802.11-EAP,switch_mac => (00:15:5d:01:3d:00), mac
=> [8c:f5:a3:a2:d4:18], port => 12290, username =>
"bmacisaaca", ssid => YC-IT (pf::radius::authorize)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Instantiate
profile 802.1X-Profile
(pf::Connection::ProfileFactory::_from_profile)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Found
authentication source(s) : 'local,8021X-Wireless' for realm
'null' (pf::config::util::filter_authentication_sources)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) WARN: [mac:8c:f5:a3:a2:d4:18] Calling match
with empty/invalid rule class. Defaulting to
'authentication' (pf::authentication::match2)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Using sources
local, 8021X-Wireless for matching (pf::authentication::match2)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] LDAP testing
connection (pf::LDAP::expire_if)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Role has
already been computed and we don't want to recompute it.
Getting role from node_info (pf::role::getRegisteredRole)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Username was
defined "bmacisaaca" - returning role 'YC-IT-WIFI'
(pf::role::getRegisteredRole)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] PID:
"bmacisaaca", Status: reg Returned VLAN: (undefined), Role:
YC-IT-WIFI (pf::role::fetchRoleForNode)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) WARN: [mac:8c:f5:a3:a2:d4:18] No parameter
YC-IT-WIFIVlan found in conf/switches.conf for the switch
10.100.2.254 (pf::Switch::getVlanByName)
Feb 13 14:19:39 PacketFence pfqueue: pfqueue(33849) INFO:
[mac:unknown] undefined source id provided
(pf::lookup::person::lookup_person)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] violation
1300003 force-closed for 8c:f5:a3:a2:d4:18
(pf::violation::violation_force_close)
Feb 13 14:19:39 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Instantiate
profile 802.1X-Profile
(pf::Connection::ProfileFactory::_from_profile)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] handling
radius autz request: from switch_ip => (10.100.2.254),
connection_type => Wireless-802.11-EAP,switch_mac =>
(00:15:5d:01:3d:00), mac => [8c:f5:a3:a2:d4:18], port =>
12290, username => "bmacisaaca", ssid => YC-IT
(pf::radius::authorize)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Instantiate
profile 802.1X-Profile
(pf::Connection::ProfileFactory::_from_profile)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Found
authentication source(s) : 'local' for realm 'null'
(pf::config::util::filter_authentication_sources)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) WARN: [mac:8c:f5:a3:a2:d4:18] Calling match
with empty/invalid rule class. Defaulting to
'authentication' (pf::authentication::match2)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Using sources
local for matching (pf::authentication::match2)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Role has
already been computed and we don't want to recompute it.
Getting role from node_info (pf::role::getRegisteredRole)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Username was
defined "bmacisaaca" - returning role 'YC-IT-WIFI'
(pf::role::getRegisteredRole)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] PID:
"bmacisaaca", Status: reg Returned VLAN: (undefined), Role:
YC-IT-WIFI (pf::role::fetchRoleForNode)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) WARN: [mac:8c:f5:a3:a2:d4:18] No parameter
YC-IT-WIFIVlan found in conf/switches.conf for the switch
10.100.2.254 (pf::Switch::getVlanByName)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] violation
1300003 force-closed for 8c:f5:a3:a2:d4:18
(pf::violation::violation_force_close)
Feb 13 14:21:15 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Instantiate
profile 802.1X-Profile
(pf::Connection::ProfileFactory::_from_profile)
Feb 13 14:21:15 PacketFence pfqueue: pfqueue(32627) INFO:
[mac:unknown] undefined source id provided
(pf::lookup::person::lookup_person)
^C
[root@PacketFence logs]# tail -f packetfence.log
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Found
authentication source(s) : 'local' for realm 'null'
(pf::config::util::filter_authentication_sources)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) WARN: [mac:8c:f5:a3:a2:d4:18] Calling match
with empty/invalid rule class. Defaulting to
'authentication' (pf::authentication::match2)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Using sources
local for matching (pf::authentication::match2)
Feb 13 14:28:49 PacketFence pfqueue: pfqueue(101125) INFO:
[mac:unknown] undefined source id provided
(pf::lookup::person::lookup_person)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Role has
already been computed and we don't want to recompute it.
Getting role from node_info (pf::role::getRegisteredRole)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Username was
defined "bmacisaaca" - returning role 'YC-IT-WIFI'
(pf::role::getRegisteredRole)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] PID:
"bmacisaaca", Status: reg Returned VLAN: (undefined), Role:
YC-IT-WIFI (pf::role::fetchRoleForNode)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) WARN: [mac:8c:f5:a3:a2:d4:18] No parameter
YC-IT-WIFIVlan found in conf/switches.conf for the switch
10.100.2.254 (pf::Switch::getVlanByName)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] violation
1300003 force-closed for 8c:f5:a3:a2:d4:18
(pf::violation::violation_force_close)
Feb 13 14:28:49 PacketFence packetfence_httpd.aaa:
httpd.aaa(8345) INFO: [mac:8c:f5:a3:a2:d4:18] Instantiate
profile 802.1X-Profile
(pf::Connection::ProfileFactory::_from_profile)
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
diff --git a/conf/profiles.conf.defaults b/conf/profiles.conf.defaults
index 3f94856..80e3e2f 100644
--- a/conf/profiles.conf.defaults
+++ b/conf/profiles.conf.defaults
@@ -30,3 +30,4 @@ device_registration=
dpsk=disabled
status=enabled
unreg_on_acct_stop=disabled
+dot1x_unset_on_unmatch=disabled
diff --git a/docs/api/spec/components/schemas/configconnectionprofile.yaml b/docs/api/spec/components/schemas/configconnectionprofile.yaml
index 7dbe71a..48aae9b 100644
--- a/docs/api/spec/components/schemas/configconnectionprofile.yaml
+++ b/docs/api/spec/components/schemas/configconnectionprofile.yaml
@@ -51,6 +51,10 @@ ConfigConnectionProfile:
description: When enabled, PacketFence will not use the role initialy computed
on the portal but will use the dot1x username to recompute the role.
type: string
+ dot1x_unset_on_unmatch:
+ description: When enabled, PacketFence will unset the role of the device if no
+ authentication sources returned one.
+ type: string
dpsk:
description: This enables the Dynamic PSK feature on this connection profile.
It means that the RADIUS server will answer requests with specific attributes
diff --git a/html/pfappserver/lib/pfappserver/Form/Config/Profile.pm b/html/pfappserver/lib/pfappserver/Form/Config/Profile.pm
index 9141e00..bd65e29 100644
--- a/html/pfappserver/lib/pfappserver/Form/Config/Profile.pm
+++ b/html/pfappserver/lib/pfappserver/Form/Config/Profile.pm
@@ -135,7 +135,7 @@ The main definition block
has_block 'definition' =>
(
- render_list => [qw(id description status root_module preregistration autoregister reuse_dot1x_credentials dot1x_recompute_role_from_portal dpsk default_psk_key unreg_on_acct_stop)],
+ render_list => [qw(id description status root_module preregistration autoregister reuse_dot1x_credentials dot1x_recompute_role_from_portal dot1x_unset_on_unmatch dpsk default_psk_key unreg_on_acct_stop)],
);
diff --git a/html/pfappserver/lib/pfappserver/Form/Config/ProfileCommon.pm b/html/pfappserver/lib/pfappserver/Form/Config/ProfileCommon.pm
index e7422ed..2aac318 100644
--- a/html/pfappserver/lib/pfappserver/Form/Config/ProfileCommon.pm
+++ b/html/pfappserver/lib/pfappserver/Form/Config/ProfileCommon.pm
@@ -40,7 +40,7 @@ The main definition block
has_block 'definition' =>
(
- render_list => [qw(id description root_module preregistration autoregister reuse_dot1x_credentials dot1x_recompute_role_from_portal dpsk default_psk_key unreg_on_acct_stop)],
+ render_list => [qw(id description root_module preregistration autoregister reuse_dot1x_credentials dot1x_recompute_role_from_portal dot1x_unset_on_unmatch dpsk default_psk_key unreg_on_acct_stop)],
);
=head2 captive_portal
@@ -356,6 +356,20 @@ has_field 'dot1x_recompute_role_from_portal' =>
help => 'When enabled, PacketFence will not use the role initialy computed on the portal but will use the dot1x username to recompute the role.' },
);
+=head2 dot1x_unset_on_unmatch
+
+=cut
+
+has_field 'dot1x_unset_on_unmatch' =>
+ (
+ type => 'Checkbox',
+ checkbox_value => 'enabled',
+ unchecked_value => 'disabled',
+ default => 'disabled',
+ tags => { after_element => \&help,
+ help => 'When enabled, PacketFence will unset the role of the device if no authentication sources returned one.' },
+ );
+
=head2 block_interval
The amount of time a user is blocked after reaching the defined limit for login, sms request and sms pin retry
diff --git a/lib/pf/Connection/Profile.pm b/lib/pf/Connection/Profile.pm
index f2ba9b7..77b1823 100644
--- a/lib/pf/Connection/Profile.pm
+++ b/lib/pf/Connection/Profile.pm
@@ -506,6 +506,17 @@ sub dot1xRecomputeRoleFromPortal {
return $self->{'_dot1x_recompute_role_from_portal'};
}
+=item dot1xUnsetOnUnmatch
+
+On autoreg if no authentication source return a role then unset the current node one
+
+=cut
+
+sub dot1xUnsetOnUnmatch {
+ my ($self) = @_;
+ return $self->{'_dot1x_unset_on_unmatch'};
+}
+
=item getScans
Returns the Scans IDs for the profile
diff --git a/lib/pf/role.pm b/lib/pf/role.pm
index 9259206..f446d45 100644
--- a/lib/pf/role.pm
+++ b/lib/pf/role.pm
@@ -594,12 +594,14 @@ sub getNodeInfoForAutoReg {
$node_info{'time_balance'} = pf::util::normalize_time($time_balance) if (defined($time_balance));
$node_info{'bandwidth_balance'} = pf::util::unpretty_bandwidth($bandwidth_balance) if (defined($bandwidth_balance));
- pf::person::person_modify($args->{'user_name'},
- 'source' => $source,
- 'portal' => $profile->getName,
- );
- # Trigger a person lookup for 802.1x users
- pf::lookup::person::async_lookup_person($args->{'user_name'}, $source, $pf::constants::realm::RADIUS_CONTEXT);
+ if ($source) {
+ pf::person::person_modify($args->{'user_name'},
+ 'source' => $source,
+ 'portal' => $profile->getName,
+ );
+ # Trigger a person lookup for 802.1x users
+ pf::lookup::person::async_lookup_person($args->{'user_name'}, $source, $pf::constants::realm::RADIUS_CONTEXT);
+ }
if (defined $unregdate) {
$node_info{'unregdate'} = $unregdate;
@@ -608,6 +610,9 @@ sub getNodeInfoForAutoReg {
}
%node_info = (%node_info, (source => $source, portal => $profile->getName));
}
+ if (!defined($role) && isenabled($profile->dot1xUnsetOnUnmatch)) {
+ %node_info = (%node_info, (category => ''));
+ }
$node_info{'pid'} = $args->{'user_name'};
}
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
