Hello,
What I would like to achieve is the following. I would like to assign
the default role to the computetrs that successfully authenticated
through the authentication source.
What I am trying to tell you is this. No matter what kind of condition I
set in the authentication rule in the authentication source
(even if I don't set the condition) the action gets ignored and role (as
default) isn't set to the computer thet successfully authenticates.
If I do it like in the screenshots above, it doesn't assign the Role to
the successfully authenticated computer and throws the same log
as I have posted it before.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Username was NOT defined or unable to match a
role - returning node based role '' (pf::role::getRegisteredRole)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] PID: "host/it4.ad", Status: reg Returned VLAN:
(undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 608.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] No parameter Vlan found in conf/switches.conf
for the switch 172.16.133.169 (pf::Switch::getVlanByName)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 591.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 594.
If I try the authentication with pftest with a test ad user which is in
test ad group the following happens (and make necessary arangements
in the authentication source).
[root@pf1 logs]# pftest authentication test testing123 AD
Testing authentication for "test"
Authenticating against 'AD' in context 'admin'
Authentication SUCCEEDED against AD (Authentication successful.)
Matched against AD for 'authentication' rule all
set_role : Informatika
set_access_duration : 1D
Did not match against AD for 'administration' rules
Authenticating against 'AD' in context 'portal'
Authentication SUCCEEDED against AD (Authentication successful.)
Matched against AD for 'authentication' rule all
set_role : Informatika
set_access_duration : 1D
Did not match against AD for 'administration' rules
Have I cleared things a bit?
Thank you and best regards.
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si>
Ludovic Zammit wrote:
Hello Gregor,
I don’t know what you try to achieve but that’s not how to do it.
Two options:
- do a conf/vlan_filters.conf to assign a access to a Mac address. You
have an example inside the file.
- Register your Mac address manually and then assign the role that you
want. If you want to massively assign a role to Mac addresses, use the
importation.
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Feb 26, 2020, at 4:39 AM, Gregor Fajdiga <[email protected]
<mailto:[email protected]>> wrote:
Hello Ludovic,
No. Computer account authenticates correctly. The problem is that
packetfence doesn't
assign the role that I have set in authentication rules in my
authentication source.
<agmmdanimjapjcim.png>
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] handling radius autz request: from switch_ip
=> (172.16.133.169), connection_type => Ethernet-EAP,switch_mac =>
(f8:b7:e2:00:00:01), mac => [70:5a:0f:d3:20:84], port => 10634,
username => "host/it4.ad" (pf::radius::authorize)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] is doing machine auth with account
'host/it4.ad'. (pf::radius::authorize)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Found authentication source(s) : DC1_DC2' for
realm 'ad' (pf::config::util::filter_authentication_sources)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Using sources DC1_DC2 for matching
(pf::authentication::match2)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Switch type
'pf::Switch::Cisco::Catalyst_2960G' does not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Found authentication source(s) : 'DC1_DC2'
for realm 'ad' (pf::config::util::filter_authentication_sources)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Role has already been computed and we don't
want to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Username was NOT defined or unable to match a
role - returning node based role '' (pf::role::getRegisteredRole)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] PID: "host/it4.ad", Status: reg Returned
VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 608.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] No parameter Vlan found in conf/switches.conf
for the switch 172.16.133.169 (pf::Switch::getVlanByName)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in hash
element at /usr/local/pf/lib/pf/Switch.pm line 591.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 594.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] security_event 1300003 force-closed for
70:5a:0f:d3:20:84 (pf::security_event::security_event_force_close)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)
Feb 26 10:06:28 pf1 pfqueue: pfqueue(24783) WARN:
[mac:70:5a:0f:d3:20:84] Unable to pull accounting history for device
70:5a:0f:d3:20:84. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
However, it does work properly and assigns a role and vlan if I set
it manually for each node.
I would like to accomplish something similar to what Peter Truax
described previously in this thread, except I would like to base it
on the computers instead of users.
>We have our Packetfence server authenticating against an Active
Directory domain. If the user is found in Active Directory, then the
switch port is configured for a vlan based on the users AD group OU.
I have tried to set the following condition to the authentication
rules in my authentication source:
- without condition at all
- member of ad group
- mac address
- connection type
Regardless of what I have tried I got the same log as above.
Best regards,
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si/>
Ludovic Zammit wrote:
Hello Gregor,
Machine account and user account are different.
Machine account = servicePrincipalName
User account = samAccountName
Make sure to add the servicePrincipalName in the attribute list for
the search under your LDAP / AD source.
You can’t test a computer account with the bin/pftest authentication
tool.
Reply-Message = "max nodes per pid met or exceeded”
That error message means that you never got a role for that connection.
Grep your Mac address in the logs/packetfence.log and you would see
that your authentication did not match the correct source/rule.
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Feb 21, 2020, at 8:17 AM, Gregor Fajdiga via PacketFence-users
<[email protected]
<mailto:[email protected]>> wrote:
I have tried with pf test and the user account and the users group.
Authenticating against 'DELODC3_DELODC4' in context 'admin'
Authentication SUCCEEDED against DELODC3_DELODC4 (Authentication
successful.)
Matched against DELODC3_DELODC4 for 'authentication' rule all
set_role : DTI
set_access_duration : 1D
Did not match against DELODC3_DELODC4 for 'administration' rules
Authenticating against 'DELODC3_DELODC4' in context 'portal'
Authentication SUCCEEDED against DELODC3_DELODC4 (Authentication
successful.)
Matched against DELODC3_DELODC4 for 'authentication' rule all
set_role : DTI
set_access_duration : 1D
Did not match against DELODC3_DELODC4 for 'administration' rules
I don't have any administration rules.
However when I use the machine account and the corresponding group
I always get
Reply-Message = "max nodes per pid met or exceeded"
unless I set the role in the Node configuration.
Best regards,
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si/>
Gregor Fajdiga wrote:
Could you please tell me how you did that.
I am trying to set a rule in the Authentication source, but it
doesn't seem to work.
I have tried the following
memberOf is member of IT
memberOf equals IT
memberOf is member of ou=IT,ou=..., ...
memberOf equals ou=IT,ou=..., ...
My version of Packetfence is 9.3.0.
Best regards,
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si/>
Truax, Peter via PacketFence-users wrote:
If the user is found in Active Directory, then the switch port is
configured for a vlan based on the users AD group OU.
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
