Ive got the same problem (previously posted) without solving it yet.. pftest works as expected but real world only gets auth but no role..
Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: Christian Sudec via PacketFence-users <[email protected]> Sent: Tuesday, March 10, 2020 5:19:26 PM To: Ludovic Zammit <[email protected]> Cc: Christian Sudec <[email protected]>; [email protected] <[email protected]> Subject: Re: [PacketFence-users] Aruba AP and VLAN Mapping - Addition Hi again! I ran 'pftest authentication Testy Testpwd' and these are the results: Authenticating against 'HTL_AD' in context 'admin' Authentication SUCCEEDED against HTL_AD (Authentication successful.) Matched against HTL_AD for 'authentication' rule Teachers set_role : Teacher set_access_duration : 1D Did not match against HTL_AD for 'administration' rules Authenticating against 'HTL_AD' in context 'portal' Authentication SUCCEEDED against HTL_AD (Authentication successful.) Matched against HTL_AD for 'authentication' rule Teachers set_role : Teacher set_access_duration : 1D Did not match against HTL_AD for 'administration' rules So I get the preferred role, but as stated in the logs and in 'Auditing' I didn't get it... ??? regards Chris On 10.03.2020 16:09, Ludovic Zammit wrote: > Ok, so if you are doing 802.1x then most of the time you do > auto-registration where you don’t display the captive portal. > > In that case, your access would be computed on the fly. Do that and > remove device info: > > grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log > > My guess is that you don’t match or get the VLAN for the proper role. > Check for the auto register option on the connection profile. > > Thanks, > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) > ::www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > >> On Mar 10, 2020, at 11:04 AM, Christian Sudec <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hello Ludovic! >> >> >> On 10.03.2020 14:42, Ludovic Zammit wrote: >>> Hello Christian, >>> >>> Are you doing VLAN enforcement or Role enforcement ? >> We're doing only 'RADIUS Enforcement' as this is the requirement for >> 802.1x (both >> wireless and wired). >> >>> On Aruba you have to do one of them, not both at the same time. >> What do you mean? When doing 802.1x packetfence uses the the username >> and password >> with its authentication rules to determine the role (eg. >> teacher/pupil), which is used in the >> switch-profile with "Role mapping by VLAN ID" to provide the correct >> VLAN (772/773). >> >>> How are you redirected on the captive portal ? By a radius request ? >> There ist no captive portal, because no guests are allowed. >> >>> Once you get authenticated PF sends a radius disconnect message to >>> the AP to kick your Mac address out for the client to reconnect >>> immediately and get the production vlan/role >> That's my question: there is no Tunnel-Private-Group-ID and no >> disconnect message. How and where do >> I set/debug these? >> >>> Check the logs/packetfence.log for your Mac address the activity and >>> see if you can find any error. >> Nothing useful (at least for me) in there: >> Mar 10 12:10:22 ippf auth[1659]: (14606) Login OK: [Testy] (from >> client 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78 via TLS tunnel) >> Mar 10 12:10:22 ippf auth[1659]: [mac:bc:d1:d3:31:13:78] Accepted >> user: Testy and returned VLAN >> Mar 10 12:10:22 ippf auth[1659]: (14607) Login OK: [Testy] (from >> client 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78) >> >> As you can see: returned VLAN - but I don't get one... >> >> kind regards >>> >>> Thanks, >>> Ludovic Zammit >>> [email protected] <mailto:[email protected]> >>> <mailto:[email protected]> :: +1.514.447.4918 (x145) >>> ::www.inverse.ca <http://www.inverse.ca> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>> PacketFence (http://packetfence.org) >>> >>> >>> >>> >>>> On Mar 10, 2020, at 8:00 AM, Christian Sudec via PacketFence-users >>>> <[email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hi everybody! >>>> >>>> First the current situation so far: >>>> >>>> We installed a test-network, where the packetfence-server is >>>> reachable with an ip 10.5.1.4 (type management) >>>> and set 'RADIUS enforcement' as chosen method. >>>> >>>> Next we installed a Mikrotik-Switch (POE) with 4 VLANS (771-774) >>>> and attached an Aruba-AP to a trunk port >>>> with the mentioned VLANs. The default VLAN is 771 and the AP gets >>>> an IP and can connect to the pf-server. >>>> >>>> Now we created an authentication-source to our AD and created a >>>> switch-template for the AP. There are two >>>> roles based on AD-group-membership: teachers (VID 772) and pupils >>>> (VID 773) - set in the switch profile under >>>> 'Role mapping by VLAN ID'. >>>> >>>> As far as it was possible, we set up the AP according to the >>>> packetfence device configuration guide, because >>>> the guide refers to ArubaOS 5.x, but we are already at 8.6.0.2. >>>> >>>> Now we are stuck: everybody can login with an ad-username (and >>>> pasword), but the user doesn't get >>>> transferred to the correct vlan and stays in the default. In >>>> 'Auditing' I can see at 'Node Information' the >>>> Role N/A and there is no Tunnel-Private-Group-ID in the RADIUS Reply. >>>> >>>> Can somebody enlighten me on what to check or what to set / how to >>>> debug? >>>> >>>> kind regards >>>> Chris >>>> >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected]> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> > _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
