Hi, is it possible to have further info on the new VPN feature?
The docs are lacking info:
I tried again from scratch on a Cisco ASA and the example config refers
a vpn client profile that does not exists by default:
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
Please, can you share some additional information and examples?
Il 24/05/2019 14:49, Cristian Mammoli via PacketFence-users ha scritto:
Hi Fabrice, any chance I can get a little bit more info on this topic?
Thanks for your time
Il 18/05/2019 09:33, Cristian Mammoli via PacketFence-users ha scritto:
Hi Fabrice, the auth source is already in use for wired and wireless
access and has role assignment working:
Testing authentication for "c.mammoli"
Authenticating against 'apra-user-auth-dc01' in context 'admin'
Authentication SUCCEEDED against apra-user-auth-dc01
(Authentication successfu l.)
Matched against apra-user-auth-dc01 for 'authentication' rules
set_role : staff_it
set_access_duration : 10Y
Matched against apra-user-auth-dc01 for 'administration' rules
set_access_level : ALL
mark_as_sponsor : 1
Authenticating against 'apra-user-auth-dc01' in context 'portal'
Authentication SUCCEEDED against apra-user-auth-dc01
(Authentication successfu l.)
Matched against apra-user-auth-dc01 for 'authentication' rules
set_role : staff_it
set_access_duration : 10Y
Matched against apra-user-auth-dc01 for 'administration' rules
set_access_level : ALL
mark_as_sponsor : 1
In authentication.conf:
[apra-user-auth-dc01]
cache_match=0
realms=apra,apra.it,default,null
basedn=dc=apra,dc=it
password=XXXXXXXXXXXXXX
set_access_level_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
binddn=cn=packetfence,cn=Users,dc=apra,dc=it
encryption=starttls
port=389
description=Apra User authentication
host=192.168.0.7,192.168.0.76
type=AD
read_timeout=10
write_timeout=5
monitor=1
dynamic_routing_module=AuthModule
shuffle=1
searchattributes=
[apra-user-auth-dc01 rule Administrator]
action0=set_access_level=ALL
condition0=memberOf,equals,CN=Tecnici,OU=Gruppi
apra,OU=Utenti,DC=apra,DC=it
match=all
class=administration
action1=mark_as_sponsor=1
[apra-user-auth-dc01 rule Sponsors]
action0=mark_as_sponsor=1
match=all
class=administration
[apra-user-auth-dc01 rule Voice]
action0=set_role=voice
condition0=sAMAccountName,equals,voice
match=all
class=authentication
action1=set_access_duration=10Y
[apra-user-auth-dc01 rule Staff_IT]
action0=set_role=staff_it
condition0=memberOf,equals,CN=Tecnici,OU=Gruppi
apra,OU=Utenti,DC=apra,DC=it
match=all
class=authentication
action1=set_access_duration=10Y
[apra-user-auth-dc01 rule Employees]
action0=set_role=employees
match=all
class=authentication
action1=set_access_duration=10Y
Regards
Il 17/05/2019 19:38, Fabrice Durand via PacketFence-users ha scritto:
Hello Cristian,
first you need to fix your authentication source apra-user-auth-dc01
and add a authentication rule that return a role and an access
duration. (use: /usr/local/pf/bin/pftest authentication c.mammoli
bob apra-user-auth-dc01)
After that you should be able to see a role associated to your
device and probably something better in the radius audit log and we
will see for the next steps.
Regards
Fabrice
Le 19-05-17 à 12 h 37, Cristian Mammoli via PacketFence-users a écrit :
Cisco ASA VPN Configuration in 9.0
Hi, I'm trying to configure our ASA for VPN authentication but the
docs are a little bit vague considering this is a new concept
Steps I did:
* Added the asa in the switch group, configured PSK etc
* Configured access list in "Role by Access List"
* Added a connection profile with the following filter: switch=<asa
ip address>
* I used an existing authentication source with LDAP role assignment
* Configured the Packetfence Radius server in the ASA and the vpn
as in the example provided
Now what?
I can connect via vpn and surf the Internet
In the audit log I see my authentication:
Request Time
0
RADIUS Request
User-Name = "c.mammoli"
User-Password = "******"
NAS-IP-Address = 10.11.10.254
NAS-Port = 186806272
Called-Station-Id = "X.X.X.X"
Calling-Station-Id = "5.90.220.187"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "5.90.220.187"
Event-Timestamp = "May 17 2019 18:27:47 CEST"
Cisco-AVPair = "audit-session-id=0a0b0afe0b2270005cdee105"
Cisco-AVPair = "ip:source-ip=5.90.220.187"
Cisco-AVPair = "coa-push=true"
ASA-TunnelGroupName = "VPN"
ASA-ClientType = AnyConnect-Client-SSL-VPN
Stripped-User-Name = "c.mammoli"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.11.10.254
SQL-User-Name = "c.mammoli"
RADIUS Reply
But the reply is empty
In the logs:
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Unable to extract MAC
from Called-Station-Id: 89.97.236.20
(pf::radius::extractApMacFromRadiusRequest)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing
connection (pf::LDAP::expire_if)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1]
[apra-machine-auth-dc01] No entries found (0) with filter
(servicePrincipalName=c.mammoli) from dc=apra,dc=it on
192.168.0.76:389
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing
connection (pf::LDAP::expire_if)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] [apra-user-auth-dc01]
Authentication successful for c.mammoli
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Authentication
successful for c.mammoli in source apra-user-auth-dc01 (AD)
(pf::authentication::authenticate)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized
value $roleName in hash element at /usr/local/pf/lib/pf/Switch.pm
line 783.
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized
value $roleName in concatenation (.) or string at
/usr/local/pf/lib/pf/Switch.pm line 786.
(pf::Switch::getRoleByName)
It looks like the connection profile isn't even matched, and all
authentication sources are tried even if I only specified one
BTW, what is the redirect acl int he docs used for?? It is not
applied anywhere and I can't see it int he ASA.pm code
The docs say: "You can force VPN users to authenticate first on the
captive portal and based on the role of the device allow it and/or
set dynamic ACL."
Is the portal authentication a requirement? I would like to
authenticate users and assign a dynamic ACL without external portal
authentication
Thanks
C.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
*Cristian Mammoli*
System Administrator
T. +39 0731 719822
www.apra.it <http://www.apra.it>
ApraSpa
linksocial
*Avviso sulla tutela di informazioni riservate.* Questo messaggio è
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e
gli eventuali allegati, potrebbero contenere informazioni di carattere
estremamente riservato e confidenziale. Qualora non foste i
destinatari designati, vogliate cortesemente informarci immediatamente
con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali
allegati, senza trattenerne copia.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
*Cristian Mammoli*
System Administrator
T. +39 0731 719822
www.apra.it <http://www.apra.it>
ApraSpa
linksocial
*Avviso sulla tutela di informazioni riservate.* Questo messaggio è
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli
eventuali allegati, potrebbero contenere informazioni di carattere
estremamente riservato e confidenziale. Qualora non foste i destinatari
designati, vogliate cortesemente informarci immediatamente con lo stesso
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza
trattenerne copia.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users