I did a test through a physical pc I used the user "giacinto.caretto" which in the Authentication Source "DIPENDENTI-Test" has a specific "Authentication Rules" (access duration 3h) but the algorithm assigns the "access duration" of the "authentication rules" built for the user " caretto.giacinto "(1h)
this is the log of a test done by pc, using the captive portal, I highlighted some steps in red and yellow, but I still don't understand where is the error Jul 7 09:15:46 pfbritest pfqueue: pfqueue(22473) INFO: [mac:20:cf:30:b1:f0:c8] Sending a firewall SSO 'Update' request for MAC '20:cf:30:b1:f0:c8' and IP '10.0.111.150' (pf::firewallsso::do_sso) Jul 7 09:15:46 pfbritest pfqueue: pfqueue(27732) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found authentication source(s) : 'DIPENDENTI-Test' for realm 'null' (pf::config::util::filter_authentication_sources) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Authenticating user using sources : DIPENDENTI-Test (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] [DIPENDENTI-Test] Authentication successful for giacinto.caretto (pf::Authentication::Source::LDAPSource::authenticate) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Authentication successful for giacinto.caretto in source DIPENDENTI-Test (AD) (pf::authentication::authenticate) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found source DIPENDENTI-Test in session. (Class::MOP::Class:::around) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found source DIPENDENTI-Test in session. (Class::MOP::Class:::around) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Successfully authenticated giacinto.caretto (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found source DIPENDENTI-Test in session. (Class::MOP::Class:::around) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found source DIPENDENTI-Test in session. (Class::MOP::Class:::around) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found source DIPENDENTI-Test in session. (Class::MOP::Class:::around) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) WARN: [mac:20:cf:30:b1:f0:c8] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Using sources DIPENDENTI-Test for matching (pf::authentication::match) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) WARN: [mac:20:cf:30:b1:f0:c8] [DIPENDENTI-Test asie_caretto.giacinto] Searching for (cn=giacinto.caretto), from OU=UO-Dipendenti,DC=enea,DC=it, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] LDAP testing connection (pf::LDAP::expire_if) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Matched rule (asie_caretto.giacinto) in source DIPENDENTI-Test, returning actions. (pf::Authentication::Source::match_rule) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Matched rule (asie_caretto.giacinto) in source DIPENDENTI-Test, returning actions. (pf::Authentication::Source::match) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found source DIPENDENTI-Test in session. (Class::MOP::Class:::around) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) WARN: [mac:20:cf:30:b1:f0:c8] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Using sources DIPENDENTI-Test for matching (pf::authentication::match) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found source DIPENDENTI-Test in session. (Class::MOP::Class:::around) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) WARN: [mac:20:cf:30:b1:f0:c8] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Using sources DIPENDENTI-Test for matching (pf::authentication::match) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) WARN: [mac:20:cf:30:b1:f0:c8] [DIPENDENTI-Test asie_caretto.giacinto] Searching for (cn=giacinto.caretto), from OU=UO-Dipendenti,DC=enea,DC=it, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] LDAP testing connection (pf::LDAP::expire_if) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Matched rule (asie_caretto.giacinto) in source DIPENDENTI-Test, returning actions. (pf::Authentication::Source::match_rule) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Matched rule (asie_caretto.giacinto) in source DIPENDENTI-Test, returning actions. (pf::Authentication::Source::match) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found source DIPENDENTI-Test in session. (Class::MOP::Class:::around) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) WARN: [mac:20:cf:30:b1:f0:c8] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Using sources DIPENDENTI-Test for matching (pf::authentication::match) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found source DIPENDENTI-Test in session. (Class::MOP::Class:::around) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(22460) INFO: [mac:20:cf:30:b1:f0:c8] Found source DIPENDENTI-Test in session. (Class::MOP::Class:::around) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(21010) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) Jul 7 09:15:52 pfbritest packetfence_httpd.portal: httpd.portal(25408) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(25408) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(25408) INFO: [mac:20:cf:30:b1:f0:c8] No provisioner found for 20:cf:30:b1:f0:c8. Continuing. (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(25408) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(25408) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(25408) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(25408) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(25408) INFO: [mac:20:cf:30:b1:f0:c8] User giacinto.caretto has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(25408) INFO: [mac:20:cf:30:b1:f0:c8] security_event 1300003 force-closed for 20:cf:30:b1:f0:c8 (pf::security_event::security_event_force_close) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(25408) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) WARN: [mac:20:cf:30:b1:f0:c8] locale from the URL is not supported (pf::Portal::Session::getLanguages) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) WARN: [mac:20:cf:30:b1:f0:c8] locale from the URL is not supported (captiveportal::PacketFence::Controller::Root::getLanguages) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) INFO: [mac:20:cf:30:b1:f0:c8] Releasing device (captiveportal::PacketFence::DynamicRouting::Module::Root::release) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) INFO: [mac:20:cf:30:b1:f0:c8] User default has authenticated on the portal. (Class::MOP::Class:::after) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) WARN: [mac:20:cf:30:b1:f0:c8] locale from the URL is not supported (pf::Portal::Session::getLanguages) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) INFO: [mac:20:cf:30:b1:f0:c8] re-evaluating access (manage_register called) (pf::enforcement::reevaluate_access) Jul 7 09:15:53 pfbritest packetfence_httpd.webservices: httpd.webservices(5458) INFO: [mac:20:cf:30:b1:f0:c8] Sending a firewall SSO 'Update' request for MAC '20:cf:30:b1:f0:c8' and IP '10.0.111.150' (pf::firewallsso::do_sso) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) INFO: [mac:20:cf:30:b1:f0:c8] VLAN reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) Jul 7 09:15:53 pfbritest packetfence_httpd.portal: httpd.portal(21010) INFO: [mac:20:cf:30:b1:f0:c8] switch port is (192.168.175.16) ifIndex 2connection type: Wired MAC Auth (pf::enforcement::_vlan_reevaluation) Jul 7 09:15:53 pfbritest packetfence_httpd.webservices: httpd.webservices(5458) INFO: [mac:20:cf:30:b1:f0:c8] Request to /api/v1/firewall_sso/update is unauthorized, will perform a login (pf::api::unifiedapiclient::call) Jul 7 09:15:54 pfbritest pfqueue: pfqueue(27748) WARN: [mac:20:cf:30:b1:f0:c8] Until CoA is implemented we will bounce the port on VLAN re-assignment traps for MAC-Auth (pf::Switch::handleReAssignVlanTrapForWiredMacAuth) Jul 7 09:15:54 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) WARN: [mac:20:cf:30:b1:f0:c8] Trying to match IP address with an invalid MAC address 'undef' (pf::ip4log::mac2ip) Jul 7 09:16:01 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] handling radius autz request: from switch_ip => (192.168.175.16), connection_type => Ethernet-NoEAP,switch_mac => (20:b3:99:66:d5:1e), mac => [20:cf:30:b1:f0:c8], port => 2, username => "20-CF-30-B1-F0-C8" (pf::radius::authorize) Jul 7 09:16:01 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) Jul 7 09:16:01 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] Found authentication source(s) : 'DIPENDENTI-Test' for realm 'null' (pf::config::util::filter_authentication_sources) Jul 7 09:16:01 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole) Jul 7 09:16:01 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] Username was defined "20-CF-30-B1-F0-C8" - returning role 'default' (pf::role::getRegisteredRole) Jul 7 09:16:01 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] PID: "giacinto.caretto", Status: reg Returned VLAN: (undefined), Role: default (pf::role::fetchRoleForNode) Jul 7 09:16:01 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) WARN: [mac:20:cf:30:b1:f0:c8] Use of uninitialized value $index in numeric le (<=) at /usr/local/pf/lib/pf/role/pool.pm line 147. Jul 7 09:16:01 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) WARN: [mac:20:cf:30:b1:f0:c8] Use of uninitialized value $index in numeric le (<=) at /usr/local/pf/lib/pf/role/pool.pm line 147. Jul 7 09:16:01 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) WARN: [mac:20:cf:30:b1:f0:c8] Use of uninitialized value $index in addition (+) at /usr/local/pf/lib/pf/role/pool.pm line 148. Jul 7 09:16:01 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] (192.168.175.16) Added VLAN 100 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jul 7 09:16:31 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] handling radius autz request: from switch_ip => (192.168.175.16), connection_type => Ethernet-NoEAP,switch_mac => (20:b3:99:66:d5:1e), mac => [20:cf:30:b1:f0:c8], port => 2, username => "20-CF-30-B1-F0-C8" (pf::radius::authorize) Jul 7 09:16:31 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) Jul 7 09:16:31 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] Found authentication source(s) : 'DIPENDENTI-Test' for realm 'null' (pf::config::util::filter_authentication_sources) Jul 7 09:16:31 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole) Jul 7 09:16:31 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] Username was defined "20-CF-30-B1-F0-C8" - returning role 'default' (pf::role::getRegisteredRole) Jul 7 09:16:31 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] PID: "giacinto.caretto", Status: reg Returned VLAN: (undefined), Role: default (pf::role::fetchRoleForNode) Jul 7 09:16:31 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] (192.168.175.16) Added VLAN 100 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jul 7 09:16:32 pfbritest packetfence_httpd.aaa: httpd.aaa(5460) INFO: [mac:20:cf:30:b1:f0:c8] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) Jul 7 09:16:37 pfbritest pfqueue: pfqueue(23888) INFO: [mac:20:cf:30:b1:f0:c8] Sending a firewall SSO 'Stop' request for MAC '20:cf:30:b1:f0:c8' and IP '10.0.111.150' (pf::firewallsso::do_sso) Jul 7 09:16:37 pfbritest pfqueue: pfqueue(23888) INFO: [mac:20:cf:30:b1:f0:c8] Sending a firewall SSO 'Start' request for MAC '20:cf:30:b1:f0:c8' and IP '192.168.172.14' (pf::firewallsso::do_sso) Jul 7 09:16:37 pfbritest pfqueue: pfqueue(23888) INFO: [mac:20:cf:30:b1:f0:c8] Sending a firewall SSO 'Update' request for MAC '20:cf:30:b1:f0:c8' and IP '192.168.172.14' (pf::firewallsso::do_sso) Jul 7 09:16:37 pfbritest pfqueue: pfqueue(23888) WARN: [mac:20:cf:30:b1:f0:c8] Unable to match MAC address to IP '192.168.172.14' (pf::ip4log::ip2mac) Jul 7 09:16:37 pfbritest pfqueue: pfqueue(23888) INFO: [mac:20:cf:30:b1:f0:c8] oldip (10.0.111.150) and newip (192.168.172.14) are different for 20:cf:30:b1:f0:c8 - closing ip4log entry (pf::api::update_ip4log) Jul 7 09:16:37 pfbritest pfqueue: pfqueue(27865) INFO: [mac:20:cf:30:b1:f0:c8] Instantiate profile CP_registration_BRI_VLAN11 (pf::Connection::ProfileFactory::_from_profile) */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ */ Giacinto Caretto */ */ DTE-ICT-RETE */ */ giacinto.care...@enea.it */ */ ENEATEL 91 206 */ */ Uff. 0831201 206-234 */ */ FAX. 0831201 207 */ */ Mob. +393283904483 */ */ ENEA - CR Brindisi */ */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ ________________________________ Da: Ludovic Zammit <lzam...@inverse.ca> Inviato: lunedì 6 luglio 2020 21:00 A: Giacinto Caretto <giacinto.care...@enea.it> Cc: packetfence-users@lists.sourceforge.net <packetfence-users@lists.sourceforge.net> Oggetto: Re: [PacketFence-users] Authentication Rules mismatch Try to do it on the captive portal and see if it works. Look at the logs/packetfence.log to see what happens. grep MAC-ADDRESS /usr/local/pf/logs/packetfence.log It will show why it did not match. Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) On Jul 6, 2020, at 2:50 PM, Giacinto Caretto <giacinto.care...@enea.it<mailto:giacinto.care...@enea.it>> wrote: -sh-4.2$ more profiles.conf [default] logo=/common/logoENEA.png redirecturl=http://www.enea.it<http://www.enea.it/> locale=it_IT dot1x_recompute_role_from_portal=0 mac_auth_recompute_role_from_portal=0 sources=DIPENDENTI-Test access_registration_when_registered=enabled self_service=default network_logoff=enabled network_logoff_popup=enabled dot1x_unset_on_unmatch=0 vlan_pool_technique=round_robbin [registration_con_802.1x] filter=connection_type:Ethernet-EAP description=per chi usa il client 802.1x autoregister=enabled unreg_on_acct_stop=enabled [CP_registration_BRI_VLAN11] filter=connection_type:Ethernet-NoEAP,vlan:311 description=Registrazione utenti Brindisi tramite Captive Portal advanced_filter= sources=DIPENDENTI-Test Inviato da Posta<https://go.microsoft.com/fwlink/?LinkId=550986> per Windows 10 Da: Ludovic Zammit<mailto:lzam...@inverse.ca> Inviato: lunedì 6 luglio 2020 19:21 A: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Cc: Giacinto Caretto<mailto:giacinto.care...@enea.it> Oggetto: Re: [PacketFence-users] Authentication Rules mismatch Hello Giacinto, Could you show your conf/profiles.conf please? Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Jul 6, 2020, at 9:16 AM, Giacinto Caretto via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: I am running the following test to solve a problem but Authentication Rules mismatch 2 users giacinto.caretto and caretto.giacinto both belonging to the OU = OU-Dipendenti mac-auth by captive portal: if login caretto.giacinto >> role = default and access duration 1 hour if login giacinto.caretto >> role = default and access duration 3 hour if login another user belonging to OU = UO-Dipendenti >> role = default and access duration 12 hour i have created an Authentication Source “DIPENDENTI-Test” [DIPENDENTI-Test] cache_match=0 read_timeout=10 realms=default,eneait,null basedn=OU=UO-Dipendenti,DC=XXX,DC=YY monitor=0 password=xxxxxxxxxxxx shuffle=0 searchattributes= set_access_durations_action= scope=sub email_attribute=mail usernameattribute=cn connection_timeout=1 binddn=XXXXXXXXXXX encryption=ssl description=Dipendenti - utenti ASIE dominio ENEAIT port=XXXXX host=XXXXXXXXXXX,YYYYYYYYYYYYYYYY write_timeout=5 type=AD [DIPENDENTI-Test rule asie_caretto.giacinto] action0=set_role=default condition0=cn,is,caretto.giacinto status=enabled match=any class=authentication action1=set_access_duration=1h description=utente caretto,giacinto [DIPENDENTI-Test rule asie_giacinto.caretto] action0=set_role=default condition0=cn,is,giacinto.caretto status=enabled match=any class=authentication action1=set_access_duration=3h description=utente giacinto.caretto [DIPENDENTI-Test rule CATCH-ALL] action0=set_role=default status=enabled match=all class=authentication action1=set_access_duration=12h description=utenti del dominio asie Authentication Rules mismatch: the authentication process seems to remember the last examined user and applies the same conditions to the next one these are some tests: for giacinto.caretto user … /usr/local/pf/bin/pftest authentication "giacinto.caretto" "password" DIPENDENTI-Test Testing authentication for "giacinto.caretto" Authenticating against 'DIPENDENTI-Test' in context 'admin' Authentication SUCCEEDED against DIPENDENTI-Test (Authentication successful.) Matched against DIPENDENTI-Test for 'authentication' rule asie_caretto.giacinto set_role : default set_access_duration : 1h Did not match against DIPENDENTI-Test for 'administration' rules Authenticating against 'DIPENDENTI-Test' in context 'portal' Authentication SUCCEEDED against DIPENDENTI-Test (Authentication successful.) Matched against DIPENDENTI-Test for 'authentication' rule asie_caretto.giacinto set_role : default set_access_duration : 1h Did not match against DIPENDENTI-Test for 'administration' rules For caretto.giacinto user … /usr/local/pf/bin/pftest authentication "caretto.giacinto" "giacinto2020" DIPENDENTI-Test Testing authentication for "caretto.giacinto" Authenticating against 'DIPENDENTI-Test' in context 'admin' Authentication SUCCEEDED against DIPENDENTI-Test (Authentication successful.) Matched against DIPENDENTI-Test for 'authentication' rule asie_caretto.giacinto set_role : default set_access_duration : 1h Did not match against DIPENDENTI-Test for 'administration' rules Authenticating against 'DIPENDENTI-Test' in context 'portal' Authentication SUCCEEDED against DIPENDENTI-Test (Authentication successful.) Matched against DIPENDENTI-Test for 'authentication' rule asie_caretto.giacinto set_role : default set_access_duration : 1h Did not match against DIPENDENTI-Test for 'administration' rules what's wrong ? Thank GC Inviato da Posta<https://go.microsoft.com/fwlink/?LinkId=550986> per Windows 10 <10D7AB09C9C7466097E8F9DED4616ECC.png> Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate e la casella di posta elettron ica da cui è stata inviata è da qualificarsi quale strumento aziendale. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente viet ate (art. 616 c.p, D.Lgs. n. 196/2003 s.m.i. e GDPR Regolamento - UE 2016/679). Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mit tente e di provvedere alla sua distruzione. Grazie. This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) on ly. Dissemination, copying, printing or use by anybody else is unauthorised (art. 616 c.p, D.Lgs. n. 196/2003 and subsequen t amendments and GDPR UE 2016/679). If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e -mail. Thanks. <10D7AB09C9C7466097E8F9DED4616ECC.png> _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users ________________________________ Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate e la casella di posta elettron ica da cui è stata inviata è da qualificarsi quale strumento aziendale. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente viet ate (art. 616 c.p, D.Lgs. n. 196/2003 s.m.i. e GDPR Regolamento - UE 2016/679). Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mit tente e di provvedere alla sua distruzione. Grazie. This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) on ly. Dissemination, copying, printing or use by anybody else is unauthorised (art. 616 c.p, D.Lgs. n. 196/2003 and subsequen t amendments and GDPR UE 2016/679). If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e -mail. Thanks. ________________________________ Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate e la casella di posta elettron ica da cui è stata inviata è da qualificarsi quale strumento aziendale. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente viet ate (art. 616 c.p, D.Lgs. n. 196/2003 s.m.i. e GDPR Regolamento - UE 2016/679). Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mit tente e di provvedere alla sua distruzione. Grazie. This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) on ly. Dissemination, copying, printing or use by anybody else is unauthorised (art. 616 c.p, D.Lgs. n. 196/2003 and subsequen t amendments and GDPR UE 2016/679). If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e -mail. Thanks. ________________________________
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users