On Mar 12, 2020, at 4:04 AM, Christian Sudec <[email protected]
<mailto:[email protected]>> wrote:
Hi Ludovic!
Here's the authentication.conf:
[local]
description=Local Users
type=SQL
dynamic_routing_module=AuthModule
[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
realms=null
dynamic_routing_module=AuthModule
[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL
[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128
type=SMS
create_local_account=no
password_length=8
local_account_logins=0
hash_passwords=bcrypt
pin_code_length=6
sms_activation_timeout=10m
message=PIN: $pin
dynamic_routing_module=AuthModule
[sms rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
allow_localdomain=yes
create_local_account=no
hash_passwords=bcrypt
password_length=8
local_account_logins=0
dynamic_routing_module=AuthModule
[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[null]
description=Null Source
type=Null
email_required=no
dynamic_routing_module=AuthModule
[null rule catchall]
description=catchall
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[HTL_AD]
shuffle=0
description=Authenticate against HTL Active Directory
host=10.1.1.2
password=OBFUSCATED
usernameattribute=sAMAccountName
email_attribute=mail
monitor=1
read_timeout=10
write_timeout=5
port=389
cache_match=0
scope=sub
basedn=OU=iPack,DC=DOMAINNAME
connection_timeout=1
set_access_durations_action=
encryption=none
searchattributes=
binddn=CN=Sync,OU=Diverse,OU=Sonstige,OU=Manuell,OU=iPack,DC=DOMAINNAME
realms=default
type=AD
[HTL_AD rule Teachers]
action1=set_access_duration=1D
description=set role according to membership in AD
condition0=memberOf,equals,CN=HTL-Lehrer,OU=Autogruppen,OU=Benutzer,OU=STAFF,OU=iPack,DC=DOMAINNAME
match=any
condition1=memberOf,equals,CN=HTL-Personal,OU=Autogruppen,OU=Benutzer,OU=STAFF,OU=iPack,DC=DOMAINNAME
action0=set_role=Teacher
class=authentication
[HTL_AD rule Pupils]
action0=set_role=Pupil
class=authentication
condition0=memberOf,equals,CN=HTL-Schueler,OU=Gruppen,OU=Manuell,OU=iPack,DC=DOMAINNAME
description=set role according to membership in AD
match=all
action1=set_access_duration=12h
[sponsor rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
And here follows profiles.conf:
[802.1x]
reuse_dot1x_credentials=enabled
dot1x_recompute_role_from_portal=disabled
filter=connection_type:Ethernet-EAP,connection_type:Wireless-802.11-EAP
autoregister=enabled
locale=
description=this profile should match wired AND wireless connection
attempts
sources=HTL_AD
greets
Chris
On 11.03.2020 13:09, Ludovic Zammit wrote:
Thanks for the information.
Could you show me the conf/authentication.conf and conf/profiles.conf ?
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]>
<mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
On Mar 11, 2020, at 6:07 AM, C. Sudec (Admin) <[email protected]
<mailto:[email protected]> <mailto:[email protected]>> wrote:
Hi again!
Here is the realm.conf:
[1 DEFAULT]
admin_strip_username=enabled
radius_strip_username=enabled
portal_strip_username=enabled
radius_acct=
eduroam_radius_acct_proxy_type=load-balance
eduroam_radius_auth_proxy_type=keyed-balance
eduroam_radius_acct=
eduroam_radius_auth_compute_in_pf=enabled
radius_auth=
permit_custom_attributes=disabled
radius_auth_compute_in_pf=enabled
radius_acct_proxy_type=load-balance
radius_auth_proxy_type=keyed-balance
domain=HTL
eduroam_radius_auth=
[1 NULL]
admin_strip_username=enabled
radius_strip_username=enabled
portal_strip_username=enabled
eduroam_radius_auth_compute_in_pf=enabled
eduroam_radius_acct=
eduroam_radius_auth_proxy_type=keyed-balance
radius_acct=
eduroam_radius_acct_proxy_type=load-balance
eduroam_radius_auth=
radius_auth_proxy_type=keyed-balance
domain=HTL
radius_acct_proxy_type=load-balance
radius_auth_compute_in_pf=enabled
permit_custom_attributes=disabled
radius_auth=
Thanks for lokong into it!
greets
Chris
________________________________________
Von: Ludovic Zammit [[email protected] <mailto:[email protected]>
<mailto:[email protected]>]
Gesendet: Dienstag, 10. März 2020 19:43
An: C. Sudec (Admin)
Cc: [email protected]
<mailto:[email protected]>
<mailto:[email protected]>
Betreff: Re: [PacketFence-users] Aruba AP and VLAN Mapping - Addition
Post the result of that command:
cat /usr/local/pf/conf/realm.conf
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]>
<mailto:[email protected]><mailto:[email protected]> ::
+1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca>
<http://www.inverse.ca><http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
On Mar 10, 2020, at 12:19 PM, Christian Sudec <[email protected]
<mailto:[email protected]>
<mailto:[email protected]><mailto:[email protected]>> wrote:
Hi again!
I ran 'pftest authentication Testy Testpwd' and these are the results:
Authenticating against 'HTL_AD' in context 'admin'
Authentication SUCCEEDED against HTL_AD (Authentication successful.)
Matched against HTL_AD for 'authentication' rule Teachers
set_role : Teacher
set_access_duration : 1D
Did not match against HTL_AD for 'administration' rules
Authenticating against 'HTL_AD' in context 'portal'
Authentication SUCCEEDED against HTL_AD (Authentication successful.)
Matched against HTL_AD for 'authentication' rule Teachers
set_role : Teacher
set_access_duration : 1D
Did not match against HTL_AD for 'administration' rules
So I get the preferred role, but as stated in the logs and in
'Auditing' I didn't get it...
???
regards
Chris
On 10.03.2020 16:09, Ludovic Zammit wrote:
Ok, so if you are doing 802.1x then most of the time you do
auto-registration where you don’t display the captive portal.
In that case, your access would be computed on the fly. Do that and
remove device info:
grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log
My guess is that you don’t match or get the VLAN for the proper
role. Check for the auto register option on the connection profile.
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]>
<mailto:[email protected]><mailto:[email protected]>
<mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca <http://www.inverse.ca>
<http://www.inverse.ca><http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
On Mar 10, 2020, at 11:04 AM, Christian Sudec <[email protected]
<mailto:[email protected]>
<mailto:[email protected]><mailto:[email protected]>
<mailto:[email protected]>> wrote:
Hello Ludovic!
On 10.03.2020 14:42, Ludovic Zammit wrote:
Hello Christian,
Are you doing VLAN enforcement or Role enforcement ?
We're doing only 'RADIUS Enforcement' as this is the requirement
for 802.1x (both
wireless and wired).
On Aruba you have to do one of them, not both at the same time.
What do you mean? When doing 802.1x packetfence uses the the
username and password
with its authentication rules to determine the role (eg.
teacher/pupil), which is used in the
switch-profile with "Role mapping by VLAN ID" to provide the
correct VLAN (772/773).
How are you redirected on the captive portal ? By a radius request ?
There ist no captive portal, because no guests are allowed.
Once you get authenticated PF sends a radius disconnect message to
the AP to kick your Mac address out for the client to reconnect
immediately and get the production vlan/role
That's my question: there is no Tunnel-Private-Group-ID and no
disconnect message. How and where do
I set/debug these?
Check the logs/packetfence.log for your Mac address the activity
and see if you can find any error.
Nothing useful (at least for me) in there:
Mar 10 12:10:22 ippf auth[1659]: (14606) Login OK: [Testy] (from
client 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78 via TLS tunnel)
Mar 10 12:10:22 ippf auth[1659]: [mac:bc:d1:d3:31:13:78] Accepted
user: Testy and returned VLAN
Mar 10 12:10:22 ippf auth[1659]: (14607) Login OK: [Testy] (from
client 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78)
As you can see: returned VLAN - but I don't get one...
kind regards
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]>
<mailto:[email protected]><mailto:[email protected]>
<mailto:[email protected]> <mailto:[email protected]> ::
+1.514.447.4918 (x145) ::www.inverse.ca <http://www.inverse.ca>
<http://www.inverse.ca><http://www.inverse.ca> <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
On Mar 10, 2020, at 8:00 AM, Christian Sudec via PacketFence-users
<[email protected]
<mailto:[email protected]>
<mailto:[email protected]><mailto:[email protected]>
<mailto:[email protected]>
<mailto:[email protected]>> wrote:
Hi everybody!
First the current situation so far:
We installed a test-network, where the packetfence-server is
reachable with an ip 10.5.1.4 (type management)
and set 'RADIUS enforcement' as chosen method.
Next we installed a Mikrotik-Switch (POE) with 4 VLANS (771-774)
and attached an Aruba-AP to a trunk port
with the mentioned VLANs. The default VLAN is 771 and the AP gets
an IP and can connect to the pf-server.
Now we created an authentication-source to our AD and created a
switch-template for the AP. There are two
roles based on AD-group-membership: teachers (VID 772) and pupils
(VID 773) - set in the switch profile under
'Role mapping by VLAN ID'.
As far as it was possible, we set up the AP according to the
packetfence device configuration guide, because
the guide refers to ArubaOS 5.x, but we are already at 8.6.0.2.
Now we are stuck: everybody can login with an ad-username (and
pasword), but the user doesn't get
transferred to the correct vlan and stays in the default. In
'Auditing' I can see at 'Node Information' the
Role N/A and there is no Tunnel-Private-Group-ID in the RADIUS Reply.
Can somebody enlighten me on what to check or what to set / how to
debug?
kind regards
Chris
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
<mailto:[email protected]><mailto:[email protected]>
<mailto:[email protected]>
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
