Thats not the issue, PF is matching on the user, its just not ever returning the role, I see this in the log:
Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) INFO: [mac:38:c9:86:06:f2:85] Using sources for matching (pf::authentication::match2) Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) WARN: [mac:38:c9:86:06:f2:85] Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 472. (pf::role::getRegisteredRole) Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) INFO: [mac:38:c9:86:06:f2:85] Username was NOT defined or unable to match a role - returning node based role '' (pf::role::getRegisteredRole) Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) INFO: [mac:38:c9:86:06:f2:85] PID: "rmcnutt", Status: reg Returned VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode) Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) WARN: [mac:38:c9:86:06:f2:85] Use of uninitialized value $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 800. (pf::Switch::getVlanByName) Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) WARN: [mac:38:c9:86:06:f2:85] Use of uninitialized value $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 803. (pf::Switch::getVlanByName) Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) WARN: [mac:38:c9:86:06:f2:85] No parameter Vlan found in conf/switches.conf for the switch 172.17.1.2 (pf::Switch::getVlanByName) Jun 26 00:42:44 PacketFence-ZEN pfqueue: pfqueue(30760) INFO: [mac:unknown] undefined source id provided (pf::lookup::person::lookup_person) Robert McNutt On Tue, Jun 25, 2019 at 8:17 PM Durand fabrice via PacketFence-users < [email protected]> wrote: > Hello Robert, > > what you can do is to use adsiedit.msc on the AD to be able to see the > attributes of a user or a group. > > There is 2 ways in AD to define a user in a group, the first one when you > edit a user you should be able to see memberof:cn=bob,dc=acme,dc=com. > > So i mean in packetfence that you need to set memberof is equal to > cn=bob,dc=acme,dc=com (exact syntax). > > > The other one is when you edit a group then you should be able to see > member: dn:cn=bob,dc=acme.dc=com. > > Then in that case you need to copy the dn of the group and use a rule > like that: > > ismember0f is equal to "the dn of the group". > > To test it use pftest authentication ... > > Regards > > Fabrice > > > > Le 19-06-25 à 19 h 18, Robert McNutt via PacketFence-users a écrit : > > Can someone share a working config that returns a VLAN in a radius reply > based on a memberof match? I cant seem to get PF to return a vlan/role for > anything other then whats defined in the node... > > Here is my config if it helps. > > > from authentication.conf > > [TLGAD] > > cache_match=0 > > read_timeout=10 > > realms=tlg > > password=**** > > searchattributes= > > scope=sub > > binddn=cn=****,dc=jamesburg,dc=local > > port=389 > > description=Local AD > > write_timeout=5 > > type=AD > > basedn=dc=jamesburg,dc=local > > monitor=1 > > set_access_level_action= > > shuffle=0 > > email_attribute=mail > > usernameattribute=sAMAccountName > > connection_timeout=1 > > encryption=none > > host=10.100.50.15 > > dynamic_routing_module=AuthModule > > > [TLGAD rule mcnutt] > > action0=set_access_level=ALL > > condition0=sAMAccountName,contains,mcnutt > > match=all > > class=administration > > description=mcnutt > > > > [TLGAD rule TEST-CORP-LAN] > > action0=set_role=CORP-LAN > > condition0=sAMAccountName,contains,mcnutt (just testing to make sure my > rule hits) > > match=any > > class=authentication > > action1=set_access_duration=5D > > > [TLGAD rule catchall] > > action0=set_access_duration=5D > > match=all > > class=authentication > > action1=set_role=CORP-LAN > > > > CORP-VLAN on a given switch maps to VLAN 120, but the vlan is never > returned in the radius reply. > > Only when I chose that role for the device in the node settings do the 3 > vlan attributes get re-assigned. > > > Robert McNutt > > > _______________________________________________ > PacketFence-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
