On Mar 2, 2020, at 12:03 AM, Gregor Fajdiga <[email protected]
<mailto:[email protected]>> wrote:
[local]
description=Local Users
type=SQL
[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
realms=null
[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL
[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128
type=SMS
create_local_account=no
[sms rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
allow_localdomain=yes
create_local_account=no
[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[sponsor]
description=Sponsor-based registration
type=SponsorEmail
allow_localdomain=yes
create_local_account=no
[sponsor rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[null]
description=Null Source
type=Null
email_required=no
[null rule catchall]
description=catchall
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[AD1]
read_timeout=10
realms=
basedn=
monitor=1
password=
shuffle=0
searchattributes=servicePrincipalName
set_access_durations_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=1
binddn=
encryption=none
description=Domain Controllers
port=389
host=ad
write_timeout=5
type=AD
set_access_level_action=
cache_match=0
[AD1 rule all]
action0=set_role=Informatika
match=any
class=authentication
action1=set_access_duration=1D
This is it.
Thank you.
Regards,
Gregor.
On 2/28/20 4:30 PM, Ludovic Zammit wrote:
Hello Gregor,
Show your conf/authentication.conf and remove your personal infos.
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Feb 28, 2020, at 4:10 AM, Gregor Fajdiga <[email protected]
<mailto:[email protected]>> wrote:
Hello,
What I would like to achieve is the following. I would like to
assign the default role to the computetrs that successfully
authenticated
through the authentication source.
What I am trying to tell you is this. No matter what kind of
condition I set in the authentication rule in the authentication source
(even if I don't set the condition) the action gets ignored and
role (as default) isn't set to the computer thet successfully
authenticates.
<fjahgpgcddodhclo.png>
<cfidhkadbhgomnjj.png>
If I do it like in the screenshots above, it doesn't assign the
Role to the successfully authenticated computer and throws the same log
as I have posted it before.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Username was NOT defined or unable to match
a role - returning node based role '' (pf::role::getRegisteredRole)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] PID: "host/it4.ad", Status: reg Returned
VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in
hash element at /usr/local/pf/lib/pf/Switch.pm line 608.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] No parameter Vlan found in
conf/switches.conf for the switch 172.16.133.169
(pf::Switch::getVlanByName)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in
hash element at /usr/local/pf/lib/pf/Switch.pm line 591.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 594.
If I try the authentication with pftest with a test ad user which
is in test ad group the following happens (and make necessary
arangements
in the authentication source).
[root@pf1 logs]# pftest authentication test testing123 AD
Testing authentication for "test"
Authenticating against 'AD' in context 'admin'
Authentication SUCCEEDED against AD (Authentication successful.)
Matched against AD for 'authentication' rule all
set_role : Informatika
set_access_duration : 1D
Did not match against AD for 'administration' rules
Authenticating against 'AD' in context 'portal'
Authentication SUCCEEDED against AD (Authentication successful.)
Matched against AD for 'authentication' rule all
set_role : Informatika
set_access_duration : 1D
Did not match against AD for 'administration' rules
Have I cleared things a bit?
Thank you and best regards.
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si/>
Ludovic Zammit wrote:
Hello Gregor,
I don’t know what you try to achieve but that’s not how to do it.
Two options:
- do a conf/vlan_filters.conf to assign a access to a Mac address.
You have an example inside the file.
- Register your Mac address manually and then assign the role that
you want. If you want to massively assign a role to Mac addresses,
use the importation.
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Feb 26, 2020, at 4:39 AM, Gregor Fajdiga <[email protected]
<mailto:[email protected]>> wrote:
Hello Ludovic,
No. Computer account authenticates correctly. The problem is that
packetfence doesn't
assign the role that I have set in authentication rules in my
authentication source.
<agmmdanimjapjcim.png>
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] handling radius autz request: from
switch_ip => (172.16.133.169), connection_type =>
Ethernet-EAP,switch_mac => (f8:b7:e2:00:00:01), mac =>
[70:5a:0f:d3:20:84], port => 10634, username => "host/it4.ad"
(pf::radius::authorize)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] is doing machine auth with account
'host/it4.ad'. (pf::radius::authorize)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Found authentication source(s) : DC1_DC2'
for realm 'ad' (pf::config::util::filter_authentication_sources)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Using sources DC1_DC2 for matching
(pf::authentication::match2)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Switch type
'pf::Switch::Cisco::Catalyst_2960G' does not support
MABFloatingDevices (pf::SwitchSupports::__ANON__)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Found authentication source(s) :
'DC1_DC2' for realm 'ad'
(pf::config::util::filter_authentication_sources)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Role has already been computed and we
don't want to recompute it. Getting role from node_info
(pf::role::getRegisteredRole)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $role in
concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 483.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Username was NOT defined or unable to
match a role - returning node based role ''
(pf::role::getRegisteredRole)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] PID: "host/it4.ad", Status: reg Returned
VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in
hash element at /usr/local/pf/lib/pf/Switch.pm line 608.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $vlanName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm
line 611.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] No parameter Vlan found in
conf/switches.conf for the switch 172.16.133.169
(pf::Switch::getVlanByName)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in
hash element at /usr/local/pf/lib/pf/Switch.pm line 591.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) WARN:
[mac:70:5a:0f:d3:20:84] Use of uninitialized value $roleName in
concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm
line 594.
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] security_event 1300003 force-closed for
70:5a:0f:d3:20:84 (pf::security_event::security_event_force_close)
Feb 26 10:06:27 pf1 packetfence_httpd.aaa: httpd.aaa(24517) INFO:
[mac:70:5a:0f:d3:20:84] Instantiate profile 8021x
(pf::Connection::ProfileFactory::_from_profile)
Feb 26 10:06:28 pf1 pfqueue: pfqueue(24783) WARN:
[mac:70:5a:0f:d3:20:84] Unable to pull accounting history for
device 70:5a:0f:d3:20:84. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
However, it does work properly and assigns a role and vlan if I
set it manually for each node.
I would like to accomplish something similar to what Peter Truax
described previously in this thread, except I would like to base
it on the computers instead of users.
>We have our Packetfence server authenticating against an Active
Directory domain. If the user is found in Active Directory, then
the switch port is configured for a vlan based on the users AD
group OU.
I have tried to set the following condition to the authentication
rules in my authentication source:
- without condition at all
- member of ad group
- mac address
- connection type
Regardless of what I have tried I got the same log as above.
Best regards,
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si/>
Ludovic Zammit wrote:
Hello Gregor,
Machine account and user account are different.
Machine account = servicePrincipalName
User account = samAccountName
Make sure to add the servicePrincipalName in the attribute list
for the search under your LDAP / AD source.
You can’t test a computer account with the bin/pftest
authentication tool.
Reply-Message = "max nodes per pid met or exceeded”
That error message means that you never got a role for that
connection.
Grep your Mac address in the logs/packetfence.log and you would
see that your authentication did not match the correct source/rule.
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Feb 21, 2020, at 8:17 AM, Gregor Fajdiga via
PacketFence-users <[email protected]
<mailto:[email protected]>> wrote:
I have tried with pf test and the user account and the users group.
Authenticating against 'DELODC3_DELODC4' in context 'admin'
Authentication SUCCEEDED against DELODC3_DELODC4
(Authentication successful.)
Matched against DELODC3_DELODC4 for 'authentication' rule all
set_role : DTI
set_access_duration : 1D
Did not match against DELODC3_DELODC4 for 'administration' rules
Authenticating against 'DELODC3_DELODC4' in context 'portal'
Authentication SUCCEEDED against DELODC3_DELODC4
(Authentication successful.)
Matched against DELODC3_DELODC4 for 'authentication' rule all
set_role : DTI
set_access_duration : 1D
Did not match against DELODC3_DELODC4 for 'administration' rules
I don't have any administration rules.
However when I use the machine account and the corresponding
group I always get
Reply-Message = "max nodes per pid met or exceeded"
unless I set the role in the Node configuration.
Best regards,
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si/>
Gregor Fajdiga wrote:
Could you please tell me how you did that.
I am trying to set a rule in the Authentication source, but it
doesn't seem to work.
I have tried the following
memberOf is member of IT
memberOf equals IT
memberOf is member of ou=IT,ou=..., ...
memberOf equals ou=IT,ou=..., ...
My version of Packetfence is 9.3.0.
Best regards,
Gregor Fajdiga
Sistemski administrator, Informatika
System administrator, IT
Delo, d.o.o.
Dunajska 5,
SI-1509 Ljubljana
T: +386 1 4737 993
[email protected] <mailto:[email protected]>
www.delo.si <http://www.delo.si/>
Truax, Peter via PacketFence-users wrote:
If the user is found in Active Directory, then the switch
port is configured for a vlan based on the users AD group OU.
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
