Hi Fabrice, the filter
machine_account != ""
is working but check only the current connection.
In my case PC done machine_auth during login screen and user_auth after login.
I found the issue in file radius.pm, if you add this line:
$options->{'last_connection_sub_type'} = $args->{'connection_sub_type'};
$options->{'last_connection_type'} =
connection_type_to_str($args->{'connection_type'});
$options->{'last_switch'} = $switch_id;
$options->{'last_port'} = $args->{'switch'}->{switch_port}
if (defined($args->{'switch'}->{switch_port}));
$options->{'last_vlan'} = $args->{'vlan'} if
(defined($args->{'vlan'}));
$options->{'last_ssid'} = $args->{'ssid'} if
(defined($args->{'ssid'}));
$options->{'last_dot1x_username'} = $args->{'user_name'} if
(defined($args->{'user_name'}));
$options->{'realm'} = $args->{'realm'} if
(defined($args->{'realm'}));
$options->{'radius_request'} = $args->{'radius_request'};
$options->{'fingerbank_info'} = $args->{'fingerbank_info'};
# Enrico Pasqualotto
$options->{'node_info'} = $args->{'node_info'};
$logger->info("Machine account value on DB for user
".$args->{'user_name'}.": ".$args->{'node_info'}->{machine_account});
ALL is working as expected.
For example:
Jul 19 16:34:52 localhost packetfence_httpd.aaa: httpd.aaa(26717) INFO:
[mac:00:26:b9:e6:ca:ed] handling radius autz request: from switch_ip =>
(192.168.110.55), connection_type => Ethernet-EAP,switch_mac =>
(fc:fb:fb:96:d9:03), mac => [00:26:b9:e6:ca:ed], port => 10001, username =>
"NETSPIN\testlocal1" (pf::radius::authorize)
Jul 19 16:34:52 localhost packetfence_httpd.aaa: httpd.aaa(26717) INFO:
[mac:00:26:b9:e6:ca:ed] Machine account value on DB for user
NETSPIN\testlocal1: host/dell.netspin.local (pf::radius::authorize)
Jul 19 16:34:52 localhost packetfence_httpd.aaa: httpd.aaa(26717) INFO:
[mac:00:26:b9:e6:ca:ed] Instantiate profile Netspin1-JoinedPC
(pf::Connection::ProfileFactory::_from_profile)
my profile:
[Netspin1-JoinedPC]
locale=
filter=
description=Ciao machine only
reuse_dot1x_credentials=enabled
sources=AD-Admins-Machine
advanced_filter=node_info.machine_account != ""
The strange thing is that on "Installation guide" there's exactly this case but
on 9.0.1 can't working to match value on DB but only for current connections.
Use of profiles is mandatory when you need condition with filter from
Active-Directory groups and node_info/connection because not accessibile from
vlan_filter.
Enrico.
On 19/07/19 15:58, Fabrice Durand via PacketFence-users wrote:
Hello Enrico,
https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Installation_Guide.asciidoc#advanced-access-configuration
Try that instead:
machine_account != "" && ssid == Secure
Regards
Fabrice
Le 19-07-18 à 17 h 29, Enrico Pasqualotto via PacketFence-users a écrit :
By checking the code of radius.pm (where should create condition to profile
selection) I can't saw the node_info loaded in option. Can be the issue why I'm
not able to use node_info.machine_account inside advanced_filter?
$options->{'last_connection_sub_type'} = $args->{'connection_sub_type'};
$options->{'last_connection_type'} =
connection_type_to_str($args->{'connection_type'});
$options->{'last_switch'} = $switch_id;
$options->{'last_port'} = $args->{'switch'}->{switch_port} if
(defined($args->{'switch'}->{switch_port}));
$options->{'last_vlan'} = $args->{'vlan'} if (defined($args->{'vlan'}));
$options->{'last_ssid'} = $args->{'ssid'} if (defined($args->{'ssid'}));
$options->{'last_dot1x_username'} = $args->{'user_name'} if
(defined($args->{'user_name'}));
$options->{'realm'} = $args->{'realm'} if (defined($args->{'realm'}));
$options->{'radius_request'} = $args->{'radius_request'};
$options->{'fingerbank_info'} = $args->{'fingerbank_info'};
my $profile =
pf::Connection::ProfileFactory->instantiate($args->{'mac'},$options);
Docs in "Installation Guide" have also an example like:
node_info.machine_account != "" && ssid == Secure
Someone can help me to better understand the issue?
Thanks
________________________________
Da: Enrico Pasqualotto via PacketFence-users
<[email protected]><mailto:[email protected]>
Inviato: martedì 16 luglio 2019 14:26
A:
[email protected]<mailto:[email protected]>
Cc: Enrico Pasqualotto
Oggetto: [PacketFence-users] Profile filtering using machine_account
Hello, I'm trying to configure a setup in 802.1x where VLAN are assigned using
Active-Directory group (ex: action0=set_role=Role_VLAN1,
condition0=memberOf,matches regexp,GroupVLAN1) but for certain VLAN is
mandatory to have a PC joined to domain.
All PCs have "machine_auth or user auth" option into WLAN settings, so it make
machine_auth into login screen and user auth after user credential.
As customer also needs to manage the setup I prefer to use WEB GUI.
I've created a profile with an advanced_filter: node_info.machine_account != ""
and the sources with the group that is mandatory the domain join.
If I check into nodes details I saw the machine_account correctly set but
profile doesn't get matched until I remove the string:
node_info.machine_account != ""
Anyone know why it doesn't match the profile when I got machine_account set?
--
Enrico Pasqualotto for
[https://www.backloop.biz/backloop_loghi/LOGO_BackLoop_small.png]
Private mail: [email protected]<mailto:[email protected]>
Office: +39 045 9971269
Le informazioni contenute in questo messaggio di posta elettronica e negli
eventuali allegati sono riservate e confidenziali e sono indirizzate
esclusivamente al destinatario. Si prega di non fare copia, inoltrare a terzi o
conservare tale messaggio se non si è il legittimo destinatario dello stesso.
Qualora questo messaggio sia stato ricevuto per errore, si prega di rinviarlo
al mittente e di cancellarlo permanentemente dal proprio computer.
The information contained in this message and in any attachment is intended
exclusively for the recipient. If you are not the intended recipient you are
hereby notified not to copy, save, disclose, or distribute it to any third
party. If you erroneously received this message you are kindly requested to
return it to the sender and eliminate it permanently from your computer.
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
--
Enrico Pasqualotto
[https://www.backloop.biz/backloop_loghi/LOGO_BackLoop_small.png]
Private mail: [email protected]<mailto:[email protected]>
Office: +39 045 9971269
Le informazioni contenute in questo messaggio di posta elettronica e negli
eventuali allegati sono riservate e confidenziali e sono indirizzate
esclusivamente al destinatario. Si prega di non fare copia, inoltrare a terzi o
conservare tale messaggio se non si è il legittimo destinatario dello stesso.
Qualora questo messaggio sia stato ricevuto per errore, si prega di rinviarlo
al mittente e di cancellarlo permanentemente dal proprio computer.
The information contained in this message and in any attachment is intended
exclusively for the recipient. If you are not the intended recipient you are
hereby notified not to copy, save, disclose, or distribute it to any third
party. If you erroneously received this message you are kindly requested to
return it to the sender and eliminate it permanently from your computer.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
