Re: [PacketFence-users] Dynamic Vlan based on AD group membership

[Durand fabrice via PacketFence-users]

This mean that there is no sources associate to your connection profile:
Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) 
INFO: [mac:38:c9:86:06:f2:85] Using sourcesfor matching 
(pf::authentication::match2)

So no source then no rules then no roles.

Can you paste before , from the beginning of the radius request ? (it 
should be something like that: Jun 26 00:42:44 PacketFence-ZEN 
packetfence_httpd.aaa: httpd.aaa(8940) INFO: [mac:38:c9:86:06:f2:85] 
handling radius autz request:....

Regards

Fabrice


Le 19-06-25 à 20 h 44, Robert McNutt a écrit :
Thats not the issue, PF is matching on the user, its just not ever 
returning the role, I see this in the log:

Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) 
INFO: [mac:38:c9:86:06:f2:85] Using sourcesfor matching 
(pf::authentication::match2)

Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) 
WARN: [mac:38:c9:86:06:f2:85] Use of uninitialized value $role in 
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm 
<http://role.pm> line 472.

(pf::role::getRegisteredRole)

Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) 
INFO: [mac:38:c9:86:06:f2:85] Username was NOT defined or unable to 
match a role - returning node based role '' (pf::role::getRegisteredRole)

Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) 
INFO: [mac:38:c9:86:06:f2:85] PID: "rmcnutt", Status: reg Returned 
VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode)

Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) 
WARN: [mac:38:c9:86:06:f2:85] Use of uninitialized value $vlanName in 
hash element at /usr/local/pf/lib/pf/Switch.pm line 800.

(pf::Switch::getVlanByName)

Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) 
WARN: [mac:38:c9:86:06:f2:85] Use of uninitialized value $vlanName in 
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 803.

(pf::Switch::getVlanByName)

Jun 26 00:42:44 PacketFence-ZEN packetfence_httpd.aaa: httpd.aaa(8940) 
WARN: [mac:38:c9:86:06:f2:85] No parameter Vlan found in 
conf/switches.conf for the switch 172.17.1.2 (pf::Switch::getVlanByName)

Jun 26 00:42:44 PacketFence-ZEN pfqueue: pfqueue(30760) INFO: 
[mac:unknown] undefined source id provided 
(pf::lookup::person::lookup_person)

Robert McNutt


On Tue, Jun 25, 2019 at 8:17 PM Durand fabrice via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:

    Hello Robert,

    what you can do is to use adsiedit.msc on the AD to be able to see
    the attributes of a user or a group.

    There is 2 ways in AD to define a user in a group, the first one
    when you edit a user you should be able to see
    memberof:cn=bob,dc=acme,dc=com.

    So i mean in packetfence that you need to set memberof is equal to
    cn=bob,dc=acme,dc=com (exact syntax).


    The other one is when you edit a group then you should be able to
    see member: dn:cn=bob,dc=acme.dc=com.

    Then in that case you need to copy the dn of the group and  use a
    rule like that:

    ismember0f is equal to "the dn of the group".

    To test it use pftest authentication ...

    Regards

    Fabrice



    Le 19-06-25 à 19 h 18, Robert McNutt via PacketFence-users a écrit :
    Can someone share a working config that returns a VLAN in a
    radius reply based on a memberof match? I cant seem to get PF to
    return a vlan/role for anything other then whats defined in the
    node...

    Here is my config if it helps.


    from authentication.conf

    [TLGAD]

    cache_match=0

    read_timeout=10

    realms=tlg

    password=****

    searchattributes=

    scope=sub

    binddn=cn=****,dc=jamesburg,dc=local

    port=389

    description=Local AD

    write_timeout=5

    type=AD

    basedn=dc=jamesburg,dc=local

    monitor=1

    set_access_level_action=

    shuffle=0

    email_attribute=mail

    usernameattribute=sAMAccountName

    connection_timeout=1

    encryption=none

    host=10.100.50.15

    dynamic_routing_module=AuthModule


    [TLGAD rule mcnutt]

    action0=set_access_level=ALL

    condition0=sAMAccountName,contains,mcnutt

    match=all

    class=administration

    description=mcnutt



    [TLGAD rule TEST-CORP-LAN]

    action0=set_role=CORP-LAN

    condition0=sAMAccountName,contains,mcnutt (just testing to make
    sure my rule hits)

    match=any

    class=authentication

    action1=set_access_duration=5D


    [TLGAD rule catchall]

    action0=set_access_duration=5D

    match=all

    class=authentication

    action1=set_role=CORP-LAN




    CORP-VLAN on a given switch maps to VLAN 120, but the vlan is
    never returned in the radius reply.

    Only when I chose that role for the device in the node settings
    do the 3 vlan attributes get re-assigned.


    Robert McNutt


    _______________________________________________
    PacketFence-users mailing list
    PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/packetfence-users
    _______________________________________________
    PacketFence-users mailing list
    PacketFence-users@lists.sourceforge.net
    <mailto:PacketFence-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/packetfence-users

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users