Re: [PacketFence-users] Fwd: Re: [External] Re: Assign the default VLAN based on a mac address

[Tomasz Karczewski via PacketFence-users]

You need to set this up in vlan filters.

 

Tomasz Karczewski

Administrator Sieci

 



 

tkarczew...@man.olsztyn.pl

http://www.man.olsztyn.pl      http://www.uwm.edu.pl

tel. (89) 523 45 55  fax. (89) 523 43 47

 

Ośrodek Eksploatacji i Zarządzania

Miejską Siecią Komputerową OLMAN w Olsztynie

Uniwersytet Warmińsko-Mazurski w Olsztynie

 

From: Gregor Fajdiga via PacketFence-users 
<packetfence-users@lists.sourceforge.net> 
Sent: Wednesday, February 26, 2020 12:40 PM
To: packetfence-users@lists.sourceforge.net
Cc: Gregor Fajdiga <fajd...@delo.si>
Subject: [PacketFence-users] Fwd: Re: [External] Re: Assign the default VLAN 
based on a mac address

 

 



-------- Forwarded Message -------- 


Subject: 

Re: [PacketFence-users] [External] Re: Assign the default VLAN based on a mac 
address


Date: 

Wed, 26 Feb 2020 10:39:53 +0100


From: 

Gregor Fajdiga  <mailto:fajd...@delo.si> <fajd...@delo.si>


Organization: 

Delo d.d.


To: 

Ludovic Zammit  <mailto:lzam...@inverse.ca> <lzam...@inverse.ca>



Hello Ludovic,

No. Computer account authenticates correctly. The problem is that packetfence 
doesn't
assign the role that I have set in authentication rules in my authentication 
source.



Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] handling radius autz request: from switch_ip => 
(172.16.133.169), connection_type => Ethernet-EAP,switch_mac => 
(f8:b7:e2:00:00:01), mac => [70:5a:0f:d3:20:84], port => 10634, username => 
"host/it4.ad" (pf::radius::authorize)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] is doing machine auth with account 'host/it4.ad'. 
(pf::radius::authorize)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] Instantiate profile 8021x 
(pf::Connection::ProfileFactory::_from_profile)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] Found authentication source(s) : DC1_DC2' for realm 
'ad' (pf::config::util::filter_authentication_sources)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] Using sources DC1_DC2 for matching 
(pf::authentication::match2)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN: 
[mac:70:5a:0f:d3:20:84] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN: 
[mac:70:5a:0f:d3:20:84] Switch type 'pf::Switch::Cisco::Catalyst_2960G' does 
not support MABFloatingDevices (pf::SwitchSupports::__ANON__)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] Found authentication source(s) : 'DC1_DC2' for realm 
'ad' (pf::config::util::filter_authentication_sources)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] Role has already been computed and we don't want to 
recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN: 
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $role in concatenation (.) 
or string at /usr/local/pf/lib/pf/role.pm line 483.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] Username was NOT defined or unable to match a role - 
returning node based role '' (pf::role::getRegisteredRole)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] PID: "host/it4.ad", Status: reg Returned VLAN: 
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN: 
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in hash element at 
/usr/local/pf/lib/pf/Switch.pm line 608.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN: 
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in concatenation 
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN: 
[mac:70:5a:0f:d3:20:84] No parameter Vlan found in conf/switches.conf for the 
switch 172.16.133.169 (pf::Switch::getVlanByName)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN: 
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in hash element at 
/usr/local/pf/lib/pf/Switch.pm line 591.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN: 
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in concatenation 
(.) or string at /usr/local/pf/lib/pf/Switch.pm line 594.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] security_event 1300003 force-closed for 
70:5a:0f:d3:20:84 (pf::security_event::security_event_force_close)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO: 
[mac:70:5a:0f:d3:20:84] Instantiate profile 8021x 
(pf::Connection::ProfileFactory::_from_profile)
Feb 26 10:06:28 pf1 pfqueue: pfqueue(24783) WARN: [mac:70:5a:0f:d3:20:84] 
Unable to pull accounting history for device 70:5a:0f:d3:20:84. The history set 
doesn't exist yet. (pf::accounting_events_history::latest_mac_history)


However, it does work properly and assigns a role and vlan if I set it manually 
for each node.

I would like to accomplish something similar to what Peter Truax described 
previously in this thread, except I would like to base it on the computers 
instead of users.

>We have our Packetfence server authenticating against an Active Directory 
>domain. If the user is found in Active Directory, then the switch port is 
>configured for a vlan based on the users AD group OU. 

I have tried to set the following condition to the authentication rules in my 
authentication source:
- without condition at all
- member of ad group
- mac address
- connection type

Regardless of what I have tried I got the same log as above.

Best regards,



Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT 


Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana

T: +386 1 4737 993
 <mailto:fajd...@delo.si> fajd...@delo.si

 <http://www.delo.si> www.delo.si



Ludovic Zammit wrote:

Hello Gregor, 

 

Machine account and user account are different.

 

Machine account = servicePrincipalName

 

User account = samAccountName

 

Make sure to add the servicePrincipalName in the attribute list for the search 
under your LDAP / AD source.

 

You can’t test a computer account with the bin/pftest authentication tool.

 

Reply-Message = "max nodes per pid met or exceeded”

 

That error message means that you never got a role for that connection.

 

Grep your Mac address in the logs/packetfence.log and you would see that your 
authentication did not match the correct source/rule.

 

Thanks,

Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca> 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

 









On Feb 21, 2020, at 8:17 AM, Gregor Fajdiga via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> > wrote:

 

I have tried with pf test and the user account and the users group.

Authenticating against 'DELODC3_DELODC4' in context 'admin'
  Authentication SUCCEEDED against DELODC3_DELODC4 (Authentication successful.)
  Matched against DELODC3_DELODC4 for 'authentication' rule all
    set_role : DTI
    set_access_duration : 1D
  Did not match against DELODC3_DELODC4 for 'administration' rules

Authenticating against 'DELODC3_DELODC4' in context 'portal'
  Authentication SUCCEEDED against DELODC3_DELODC4 (Authentication successful.)
  Matched against DELODC3_DELODC4 for 'authentication' rule all
    set_role : DTI
    set_access_duration : 1D
  Did not match against DELODC3_DELODC4 for 'administration' rules

I don't have any administration rules.

However when I use the machine account and the corresponding group  I always get

Reply-Message = "max nodes per pid met or exceeded"

unless I set the role in the Node configuration.

Best regards,

Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT 


Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana

T: +386 1 4737 993
 <mailto:fajd...@delo.si> fajd...@delo.si

 <http://www.delo.si/> www.delo.si



Gregor Fajdiga wrote:

Could you please tell me how you did that.

I am trying to set a rule in the Authentication source, but it doesn't seem to 
work.

I have tried the following
memberOf    is member of   IT
memberOf    equals             IT
memberOf    is member of   ou=IT,ou=..., ...
memberOf    equals             ou=IT,ou=..., ...

My version of Packetfence is 9.3.0.

Best regards,

Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT 


Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana

T: +386 1 4737 993
 <mailto:fajd...@delo.si> fajd...@delo.si

 <http://www.delo.si/> www.delo.si



Truax, Peter via PacketFence-users wrote:

If the user is found in Active Directory, then the switch port is configured 
for a vlan based on the users AD group OU.

 

 

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

 

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users