Thanks for the information. Could you show me the conf/authentication.conf and conf/profiles.conf ?
Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Mar 11, 2020, at 6:07 AM, C. Sudec (Admin) <s...@htlwrn.ac.at> wrote: > > Hi again! > > Here is the realm.conf: > [1 DEFAULT] > admin_strip_username=enabled > radius_strip_username=enabled > portal_strip_username=enabled > radius_acct= > eduroam_radius_acct_proxy_type=load-balance > eduroam_radius_auth_proxy_type=keyed-balance > eduroam_radius_acct= > eduroam_radius_auth_compute_in_pf=enabled > radius_auth= > permit_custom_attributes=disabled > radius_auth_compute_in_pf=enabled > radius_acct_proxy_type=load-balance > radius_auth_proxy_type=keyed-balance > domain=HTL > eduroam_radius_auth= > > [1 NULL] > admin_strip_username=enabled > radius_strip_username=enabled > portal_strip_username=enabled > eduroam_radius_auth_compute_in_pf=enabled > eduroam_radius_acct= > eduroam_radius_auth_proxy_type=keyed-balance > radius_acct= > eduroam_radius_acct_proxy_type=load-balance > eduroam_radius_auth= > radius_auth_proxy_type=keyed-balance > domain=HTL > radius_acct_proxy_type=load-balance > radius_auth_compute_in_pf=enabled > permit_custom_attributes=disabled > radius_auth= > > Thanks for lokong into it! > > greets > Chris > ________________________________________ > Von: Ludovic Zammit [lzam...@inverse.ca] > Gesendet: Dienstag, 10. März 2020 19:43 > An: C. Sudec (Admin) > Cc: packetfence-users@lists.sourceforge.net > Betreff: Re: [PacketFence-users] Aruba AP and VLAN Mapping - Addition > > Post the result of that command: > > cat /usr/local/pf/conf/realm.conf > > Thanks, > > Ludovic Zammit > lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: > www.inverse.ca<http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > On Mar 10, 2020, at 12:19 PM, Christian Sudec > <c.su...@htlwrn.ac.at<mailto:c.su...@htlwrn.ac.at>> wrote: > > Hi again! > > I ran 'pftest authentication Testy Testpwd' and these are the results: > > Authenticating against 'HTL_AD' in context 'admin' > Authentication SUCCEEDED against HTL_AD (Authentication successful.) > Matched against HTL_AD for 'authentication' rule Teachers > set_role : Teacher > set_access_duration : 1D > Did not match against HTL_AD for 'administration' rules > > Authenticating against 'HTL_AD' in context 'portal' > Authentication SUCCEEDED against HTL_AD (Authentication successful.) > Matched against HTL_AD for 'authentication' rule Teachers > set_role : Teacher > set_access_duration : 1D > Did not match against HTL_AD for 'administration' rules > > So I get the preferred role, but as stated in the logs and in 'Auditing' I > didn't get it... > ??? > > regards > Chris > > On 10.03.2020 16:09, Ludovic Zammit wrote: > Ok, so if you are doing 802.1x then most of the time you do auto-registration > where you don’t display the captive portal. > > In that case, your access would be computed on the fly. Do that and remove > device info: > > grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log > > My guess is that you don’t match or get the VLAN for the proper role. Check > for the auto register option on the connection profile. > > Thanks, > Ludovic Zammit > lzam...@inverse.ca<mailto:lzam...@inverse.ca> <mailto:lzam...@inverse.ca> > :: +1.514.447.4918 (x145) ::www.inverse.ca<http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > On Mar 10, 2020, at 11:04 AM, Christian Sudec > <c.su...@htlwrn.ac.at<mailto:c.su...@htlwrn.ac.at> > <mailto:c.su...@htlwrn.ac.at>> wrote: > > Hello Ludovic! > > > On 10.03.2020 14:42, Ludovic Zammit wrote: > Hello Christian, > > Are you doing VLAN enforcement or Role enforcement ? > We're doing only 'RADIUS Enforcement' as this is the requirement for 802.1x > (both > wireless and wired). > > On Aruba you have to do one of them, not both at the same time. > What do you mean? When doing 802.1x packetfence uses the the username and > password > with its authentication rules to determine the role (eg. teacher/pupil), > which is used in the > switch-profile with "Role mapping by VLAN ID" to provide the correct VLAN > (772/773). > > How are you redirected on the captive portal ? By a radius request ? > There ist no captive portal, because no guests are allowed. > > Once you get authenticated PF sends a radius disconnect message to the AP to > kick your Mac address out for the client to reconnect immediately and get the > production vlan/role > That's my question: there is no Tunnel-Private-Group-ID and no disconnect > message. How and where do > I set/debug these? > > Check the logs/packetfence.log for your Mac address the activity and see if > you can find any error. > Nothing useful (at least for me) in there: > Mar 10 12:10:22 ippf auth[1659]: (14606) Login OK: [Testy] (from client > 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78 via TLS tunnel) > Mar 10 12:10:22 ippf auth[1659]: [mac:bc:d1:d3:31:13:78] Accepted user: Testy > and returned VLAN > Mar 10 12:10:22 ippf auth[1659]: (14607) Login OK: [Testy] (from client > 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78) > > As you can see: returned VLAN - but I don't get one... > > kind regards > > Thanks, > Ludovic Zammit > lzam...@inverse.ca<mailto:lzam...@inverse.ca> <mailto:lzam...@inverse.ca> > <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) > ::www.inverse.ca<http://www.inverse.ca> <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > On Mar 10, 2020, at 8:00 AM, Christian Sudec via PacketFence-users > <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> > <mailto:packetfence-users@lists.sourceforge.net> > <mailto:packetfence-users@lists.sourceforge.net>> wrote: > > Hi everybody! > > First the current situation so far: > > We installed a test-network, where the packetfence-server is reachable with > an ip 10.5.1.4 (type management) > and set 'RADIUS enforcement' as chosen method. > > Next we installed a Mikrotik-Switch (POE) with 4 VLANS (771-774) and attached > an Aruba-AP to a trunk port > with the mentioned VLANs. The default VLAN is 771 and the AP gets an IP and > can connect to the pf-server. > > Now we created an authentication-source to our AD and created a > switch-template for the AP. There are two > roles based on AD-group-membership: teachers (VID 772) and pupils (VID 773) - > set in the switch profile under > 'Role mapping by VLAN ID'. > > As far as it was possible, we set up the AP according to the packetfence > device configuration guide, because > the guide refers to ArubaOS 5.x, but we are already at 8.6.0.2. > > Now we are stuck: everybody can login with an ad-username (and pasword), but > the user doesn't get > transferred to the correct vlan and stays in the default. In 'Auditing' I can > see at 'Node Information' the > Role N/A and there is no Tunnel-Private-Group-ID in the RADIUS Reply. > > Can somebody enlighten me on what to check or what to set / how to debug? > > kind regards > Chris > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> > <mailto:PacketFence-users@lists.sourceforge.net> > <mailto:PacketFence-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
