Hello Fabrice, By using the condition DN,contain,OU=.... I get reject. I've created 3 group in my AD and created 3 filter with this condition:
memberOf, equal, CN=Services,OU=Service,OU=Utilisateurs,OU=Maquette,DC=NOVASYS,DC=LOCAL By doing "pftest authentication pfadmin password SourceAD" I get : Authenticating against 'SourceAD' in context 'admin' Authentication SUCCEEDED against SourceAD (Authentication successful.) Matched against SourceAD for 'authentication' rules set_role : Service set_access_duration : 12h Did not match against SourceAD for 'administration' rules Authenticating against 'SourceAD' in context 'portal' Authentication SUCCEEDED against SourceAD (Authentication successful.) Matched against SourceAD for 'authentication' rules set_role : Service set_access_duration : 12h Did not match against SourceAD for 'administration' rules I just discovered that my switch was doing "DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (3497.f614.49e4) on Interface Fa0/13" and was blocking my port In PF logs I saw: External portal enforcement either not supported '1' or not configured 'N' on network equipment '192.168.0.201' (pf::Switch::externalPortalEnforcement) INFO: [mac:34:97:f6:14:49:e4] violation 1300003 force-closed for 34:97:f6:14:49:e4 (pf::violation::violation_force_close) My bad, I left an useless configuration in the switch which make confusion in PacketFence and rejecting the user. Resolved, thank for helping :) Adrian De: "packetfence-users" <[email protected]> À: "packetfence-users" <[email protected]> Cc: "Durand fabrice" <[email protected]> Envoyé: Mercredi 20 Février 2019 02:35:34 Objet: Re: [PacketFence-users] Assigning role based on Active Directory name Hello Adrian, in my opinion it will be easier to have only one authentication sources but 3 rules. Something like: Base DN : OU=Utilisateurs,OU=Maquette,DC=NOVASYS,DC=LOCAL * Name : Service_Auth * Description : Service Users * Contains : Everything * condition: dn,contain,OU=Service,OU=Utilisateurs,OU=Maquette,DC=NOVASYS,DC=LOCAL * Action : -Role : Service -Unregistration date : January 01 2020 * Name : Production_Auth * Description : Service Users * Contains : Everything * condition: dn,contain,OU=Production,OU=Utilisateurs,OU=Maquette,DC=NOVASYS,DC=LOCAL * Action : -Role : Production -Unregistration date : January 01 2020 ... and at the end a catch_all rule that return tge REJECT role. Then in the connection profile with a filter Ethernet-EAP, check Autoregister. This should be ok with that. Also as Nicolas say, can you share te packetfence.log file when the device connect ? Thanks Regards Fabrice
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
