-------- Forwarded Message --------
Subject: Re: [PacketFence-users] [External] Re: Assign the default VLAN
based on a mac address
Date: Wed, 26 Feb 2020 10:39:53 +0100
From: Gregor Fajdiga <[email protected]>
Organization: Delo d.d.
To: Ludovic Zammit <[email protected]>
Hello Ludovic,
No. Computer account authenticates correctly. The problem is that
packetfence doesn't
assign the role that I have set in authentication rules in my
authentication source.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] handling radius autz request: from switch_ip =>
(172.16.133.169), connection_type => Ethernet-EAP,switch_mac =>
(f8:b7:e2:00:00:01), mac => [70:5a:0f:d3:20:84], port => 10634, username
=> "host/it4.ad" (pf::radius::authorize)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] is doing machine auth with account
'host/it4.ad'. (pf::radius::authorize)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Found authentication source(s) : DC1_DC2' for
realm 'ad' (pf::config::util::filter_authentication_sources)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Using sources DC1_DC2 for matching
(pf::authentication::match2)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Switch type 'pf::Switch::Cisco::Catalyst_2960G'
does not support MABFloatingDevices (pf::SwitchSupports::__ANON__)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Found authentication source(s) : 'DC1_DC2' for
realm 'ad' (pf::config::util::filter_authentication_sources)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Role has already been computed and we don't want
to recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Username was NOT defined or unable to match a
role - returning node based role '' (pf::role::getRegisteredRole)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] PID: "host/it4.ad", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 608.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] No parameter Vlan found in conf/switches.conf
for the switch 172.16.133.169 (pf::Switch::getVlanByName)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 591.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 594.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] security_event 1300003 force-closed for
70:5a:0f:d3:20:84 (pf::security_event::security_event_force_close)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)
Feb 26 10:06:28 pf1 pfqueue: pfqueue(24783) WARN:
[mac:70:5a:0f:d3:20:84] Unable to pull accounting history for device
70:5a:0f:d3:20:84. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
However, it does work properly and assigns a role and vlan if I set it
manually for each node.
I would like to accomplish something similar to what Peter Truax
described previously in this thread, except I would like to base it on
the computers instead of users.
>We have our Packetfence server authenticating against an Active
Directory domain. If the user is found in Active Directory, then the
switch port is configured for a vlan based on the users AD group OU.
I have tried to set the following condition to the authentication rules
in my authentication source:
- without condition at all
- member of ad group
- mac address
- connection type
Regardless of what I have tried I got the same log as above.
Best regards,
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si>
Ludovic Zammit wrote:
Hello Gregor,
Machine account and user account are different.
Machine account = servicePrincipalName
User account = samAccountName
Make sure to add the servicePrincipalName in the attribute list for
the search under your LDAP / AD source.
You can’t test a computer account with the bin/pftest authentication tool.
Reply-Message = "max nodes per pid met or exceeded”
That error message means that you never got a role for that connection.
Grep your Mac address in the logs/packetfence.log and you would see
that your authentication did not match the correct source/rule.
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Feb 21, 2020, at 8:17 AM, Gregor Fajdiga via PacketFence-users
<[email protected]
<mailto:[email protected]>> wrote:
I have tried with pf test and the user account and the users group.
Authenticating against 'DELODC3_DELODC4' in context 'admin'
Authentication SUCCEEDED against DELODC3_DELODC4 (Authentication
successful.)
Matched against DELODC3_DELODC4 for 'authentication' rule all
set_role : DTI
set_access_duration : 1D
Did not match against DELODC3_DELODC4 for 'administration' rules
Authenticating against 'DELODC3_DELODC4' in context 'portal'
Authentication SUCCEEDED against DELODC3_DELODC4 (Authentication
successful.)
Matched against DELODC3_DELODC4 for 'authentication' rule all
set_role : DTI
set_access_duration : 1D
Did not match against DELODC3_DELODC4 for 'administration' rules
I don't have any administration rules.
However when I use the machine account and the corresponding group I
always get
Reply-Message = "max nodes per pid met or exceeded"
unless I set the role in the Node configuration.
Best regards,
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si/>
Gregor Fajdiga wrote:
Could you please tell me how you did that.
I am trying to set a rule in the Authentication source, but it
doesn't seem to work.
I have tried the following
memberOf is member of IT
memberOf equals IT
memberOf is member of ou=IT,ou=..., ...
memberOf equals ou=IT,ou=..., ...
My version of Packetfence is 9.3.0.
Best regards,
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si/>
Truax, Peter via PacketFence-users wrote:
If the user is found in Active Directory, then the switch port is
configured for a vlan based on the users AD group OU.
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
