Dear Fabrice,
I didn't know your solution so I'd choose to change inner-tunnel:
authroize {
...
if ( "%{outer.request:User-Name}" != "%{User-Name}" ) {
fail
....
}
Best regards
Enrico
Il 09/05/2019 23:52, Durand fabrice via PacketFence-users ha scritto:
Another solution can be to add an attribute in the reply (from the
external radius server) with the user name from the inner tunnel and
in post-proxy section rewrite to username.
Regards
Fabrice
Le 19-05-09 à 15 h 21, Enrico via PacketFence-users a écrit :
Hello Fabrice,
in fact you understand very well, PF proxy doesn't show what is in
the inner tunnel
so I changed the config of my radius backend , to check and allow
login only if the identity
is the same as the username held in the inner tunnel.
Thanks again.
Best regards.
Enrico
Il 09/05/19 00:42, Durand fabrice via PacketFence-users ha scritto:
Hello Enrico,
as i understand your setup it looks that you proxy the request to
another server (based on the realm pg.infn.it) but since you proxy
the request packetfence doesn't have access to the inner tunnel.
So the only solution is to authenticate the radius request directly
on PacketFence.
Regards
Fabrice
Le 19-05-08 à 05 h 19, Enrico Becchetti via PacketFence-users a écrit :
Il 07/05/2019 13:36, Nicolas Quiniou-Briand via PacketFence-users
ha scritto:
Hello Enrico,
Could you provide me a full example ?
1. a MAC address which has issue
2. Actual results
3. Expected results
4. packetfence.log for this MAC address
1) 70:54:d2:bc:be:91
2) login with 802.1X from cabled network with identity anonymous
3) log access with username. Packetfence is configured to proxy
radius request.
pfsrv, packetfence.log:
Apr 26 14:28:59 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) INFO:
[mac:70:54:d2:bc:be:91] handling radius autz request: from
switch_ip => (10.0.3.33), connection_type =>
Ethernet-EAP,switch_mac => (00:18:fe:e3:52:e0), mac =>
[70:54:d2:bc:be:91], port => 5, username =>
"*[email protected]*" (pf::radius::authorize)
Apr 26 14:28:59 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) INFO:
[mac:70:54:d2:bc:be:91] Instantiate profile INFN-WIRED
(pf::Connection::ProfileFactory::_from_profile)
Apr 26 14:29:00 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) INFO:
[mac:70:54:d2:bc:be:91] Found authentication source(s) :
'RADIUS-AAI' for realm 'default'
(pf::config::util::filter_authentication_sources)
Apr 26 14:29:00 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) WARN:
[mac:70:54:d2:bc:be:91] Calling match with empty/invalid rule
class. Defaulting to 'authentication' (pf::authentication::match2)
Apr 26 14:29:00 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) INFO:
[mac:70:54:d2:bc:be:91] Using sources RADIUS-AAI for matching
(pf::authentication::match2)
Apr 26 14:29:00 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) INFO:
[mac:70:54:d2:bc:be:91] Matched rule (catchall) in source
RADIUS-AAI, returning actions. (pf::Authentication::Source::match_rule)
Apr 26 14:29:00 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) INFO:
[mac:70:54:d2:bc:be:91] Matched rule (catchall) in source
RADIUS-AAI, returning actions. (pf::Authentication::Source::match)
Apr 26 14:29:00 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) INFO:
[mac:70:54:d2:bc:be:91] Role has already been computed and we don't
want to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Apr 26 14:29:00 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) INFO:
[mac:70:54:d2:bc:be:91] Username was defined "[email protected]"
- returning role 'default' (pf::role::getRegisteredRole)
Apr 26 14:29:00 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) INFO:
[mac:70:54:d2:bc:be:91] PID: "[email protected]", Status: reg
Returned VLAN: (undefined), Role: default (pf::role::fetchRoleForNode)
Apr 26 14:29:00 pfsrv packetfence_httpd.aaa: httpd.aaa(20274) INFO:
[mac:70:54:d2:bc:be:91] (10.0.3.33) Added VLAN 25 to the returned
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
...
pfsrv, radius.log:
Apr 26 14:29:00 pfsrv auth[20791]: [mac:70:54:d2:bc:be:91] Accepted
user: and returned VLAN 25
Apr 26 14:29:00 pfsrv auth[20791]: (75) Login OK:
[[email protected]] (from client 10.0.3.33 port 5 cli
70:54:d2:bc:be:91)
....
Log external radius server:
*
**(309) Login OK: [becchett] (from client pfsrv port 0 via TLS tunnel)*
2019-04-26T12:28:59.792Z Thanks a lot
Enrico
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
_______________________________________________________________________
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
