Re: [PacketFence-users] Dynamic Vlan based on AD group membership

Tue, 25 Jun 2019 17:17:54 -0700 

Hello Robert,
what you can do is to use adsiedit.msc on the AD to be able to see the attributes of a user or a group. 


There is 2 ways in AD to define a user in a group, the first one when 
you edit a user you should be able to see memberof:cn=bob,dc=acme,dc=com.



So i mean in packetfence that you need to set memberof is equal to 
cn=bob,dc=acme,dc=com (exact syntax).




The other one is when you edit a group then you should be able to see 
member: dn:cn=bob,dc=acme.dc=com.



Then in that case you need to copy the dn of the group and  use a rule 
like that:


ismember0f is equal to "the dn of the group".

To test it use pftest authentication ...

Regards

Fabrice



Le 19-06-25 à 19 h 18, Robert McNutt via PacketFence-users a écrit :

Can someone share a working config that returns a VLAN in a radius 
reply based on a memberof match? I cant seem to get PF to return a 
vlan/role for anything other then whats defined in the node...


Here is my config if it helps.


from authentication.conf

[TLGAD]

cache_match=0

read_timeout=10

realms=tlg

password=****

searchattributes=

scope=sub

binddn=cn=****,dc=jamesburg,dc=local

port=389

description=Local AD

write_timeout=5

type=AD

basedn=dc=jamesburg,dc=local

monitor=1

set_access_level_action=

shuffle=0

email_attribute=mail

usernameattribute=sAMAccountName

connection_timeout=1

encryption=none

host=10.100.50.15

dynamic_routing_module=AuthModule


[TLGAD rule mcnutt]

action0=set_access_level=ALL

condition0=sAMAccountName,contains,mcnutt

match=all

class=administration

description=mcnutt



[TLGAD rule TEST-CORP-LAN]

action0=set_role=CORP-LAN


condition0=sAMAccountName,contains,mcnutt (just testing to make sure 
my rule hits)


match=any

class=authentication

action1=set_access_duration=5D


[TLGAD rule catchall]

action0=set_access_duration=5D

match=all

class=authentication

action1=set_role=CORP-LAN





CORP-VLAN on a given switch maps to VLAN 120, but the vlan is never 
returned in the radius reply.



Only when I chose that role for the device in the node settings do the 
3 vlan attributes get re-assigned.



Robert McNutt


_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to