You are not suppose to do that.
whit that in the AD source:
email_attribute=mail
usernameattribute=sAMAccountName
you should be ok.
Le 20-10-07 à 13 h 11, Louis Scaringella a écrit :
In the AD auth source, I added “email” as a search attribute for the username.
Maybe that is what you were explaining and I wasn’t quite understanding
initially?
Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903
On Oct 7, 2020, at 12:04 PM, Fabrice Durand <fdur...@inverse.ca> wrote:
Le 20-10-07 à 12 h 56, Louis Scaringella a écrit :
I am logging in as the sponsor using the AD sAMAAccount name in this case.
However, I think the problem is that when the guest has to put in a sponsor, it
must be an email address so I think there is discrepancy there with that. It is
expecting me to login with that email address I suspect.
No, it 2 different thing between email attribute and username attribute.
What you can do is to capture the ldap traffic from packetfence to see what is
the search request/reply when you log as a sponsor to validate the access.
Do I maybe need to have an account created in PacketFence that matches that
sponsor email address so PacketFence can mark that as a sponsor in its database?
No really necessary, you have to choose between using a local account or an
ad/ldap account.
Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903
On Oct 7, 2020, at 11:52 AM, Fabrice Durand via PacketFence-users
<packetfence-users@lists.sourceforge.net> wrote:
What i think it's probably because of the username attribute in the AD
authentication source.
When you set a sponsor in the portal then packetfence try to find the email
address in the AD and check if the user account is a sponsor.
When you click on the link then the portal ask you to authenticate with the
sponsor credential but the format of the username depend of the username
attribute you defined (like sAMAccountName or userPrincipalName).
Le 20-10-07 à 12 h 13, Louis Scaringella via PacketFence-users a écrit :
I tried the same thing, but using Active Directory source this time as a
sponsor. It’s the same error, when a guest is signing up, they can put the
sponsor from AD in and it does send the email to the sponsor. But when sponsor
clicks the link and signs in with AD credentials, it says that the user doesn’t
have access to sponsor.
The AD source is now set to have an administrative rule to mark as sponsor.
Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903
On Oct 7, 2020, at 10:48 AM, Louis Scaringella via PacketFence-users
<packetfence-users@lists.sourceforge.net> wrote:
Of course, thank you for your help!
Here is the logs from the entire process of the guest choosing sponsor email
and then the sponsor clicking the link and trying to authenticate.
I’m using a user in /usr/local/pf/conf/admin.conf that I created as a htpasswd
file instead of Active Directory. I’m also open to using a local PF admin using
for this but haven’t had luck with that either.
It is hitting the right connection profile and file1 is the authentication
source where the htpasswd file is and set to mark as sponsor. The problem is
when the sponsor tries to sign in to authenticate to approve the user is where
it errors out.
Oct 7 10:43:01 localhost packetfence_httpd.portal: httpd.portal(2612) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:06 localhost packetfence_httpd.portal: httpd.portal(2610) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:06 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:08 localhost packetfence_httpd.portal: httpd.portal(2611) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:08 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:08 localhost packetfence_httpd.portal: httpd.portal(2613) ERROR:
[mac:00:24:d6:5b:30:bc] Cannot restore activation code from user session.
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Sponsor::check_session_activation)
Oct 7 10:43:08 localhost packetfence_httpd.portal: httpd.portal(2612) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:14 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:15 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] registering guest through a sponsor
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Sponsor::do_sponsor_registration)
Oct 7 10:43:15 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] Using sources local, file1, LabDC for matching
(pf::authentication::match)
Oct 7 10:43:15 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] Matched rule (admins) in source file1, returning
actions. (pf::Authentication::Source::match_rule)
Oct 7 10:43:15 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] Matched rule (admins) in source file1, returning
actions. (pf::Authentication::Source::match)
Oct 7 10:43:15 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] Adding guest person louis.scaringe...@gmail.com
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Sponsor::do_sponsor_registration)
Oct 7 10:43:15 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] new activation code successfully generated
(pf::activation::create)
Oct 7 10:43:15 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:15 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] User louis.scaringe...@gmail.com has authenticated on
the portal. (Class::MOP::Class:::after)
Oct 7 10:43:20 localhost packetfence_httpd.portal: httpd.portal(2610) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:25 localhost packetfence_httpd.portal: httpd.portal(2611) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:28 localhost packetfence_httpd.portal: httpd.portal(2611) WARN:
[mac:unknown] Unable to match MAC address to IP '198.18.101.1'
(pf::ip4log::ip2mac)
Oct 7 10:43:28 localhost packetfence_httpd.portal: httpd.portal(2611) WARN:
[mac:0] Unable to match MAC address to IP '198.18.101.1' (pf::ip4log::ip2mac)
Oct 7 10:43:28 localhost packetfence_httpd.portal: httpd.portal(2611) INFO:
[mac:0] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:28 localhost packetfence_httpd.portal: httpd.portal(2611) WARN:
[mac:0] Use of uninitialized value in string ne at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line
146.
(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Oct 7 10:43:28 localhost pfqueue: pfqueue(2277) ERROR: [mac:unknown] Unable to
fetch query arguments for Fingerbank query. Aborting. (pf::fingerbank::process)
Oct 7 10:43:28 localhost packetfence_httpd.portal: httpd.portal(2611) INFO:
[mac:0] [00:24:d6:5b:30:bc] Activation code sent to email lscaringe...@ydn.co
from louis.scaringe...@gmail.com successfully verified. for activation type:
sponsor (pf::activation::validate_code)
Oct 7 10:43:28 localhost packetfence_httpd.portal: httpd.portal(2611) INFO:
[mac:0] Sponsor needs to authenticate in order to activate guest. Guest token:
df13716b99252659d29c6b89a5617c36
(captiveportal::PacketFence::Controller::Activate::Email::doSponsorRegistration)
Oct 7 10:43:29 localhost packetfence_httpd.portal: httpd.portal(2610) WARN:
[mac:unknown] Unable to match MAC address to IP '198.18.101.1'
(pf::ip4log::ip2mac)
Oct 7 10:43:29 localhost packetfence_httpd.portal: httpd.portal(2610) WARN:
[mac:0] Unable to match MAC address to IP '198.18.101.1' (pf::ip4log::ip2mac)
Oct 7 10:43:29 localhost packetfence_httpd.portal: httpd.portal(2610) WARN:
[mac:0] Use of uninitialized value in string ne at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line
146.
(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Oct 7 10:43:29 localhost pfqueue: pfqueue(2281) ERROR: [mac:unknown] Unable to
fetch query arguments for Fingerbank query. Aborting. (pf::fingerbank::process)
Oct 7 10:43:31 localhost packetfence_httpd.portal: httpd.portal(2611) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:35 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:36 localhost packetfence_httpd.portal: httpd.portal(2611) WARN:
[mac:unknown] Unable to match MAC address to IP '198.18.101.1'
(pf::ip4log::ip2mac)
Oct 7 10:43:36 localhost packetfence_httpd.portal: httpd.portal(2611) WARN:
[mac:0] Unable to match MAC address to IP '198.18.101.1' (pf::ip4log::ip2mac)
Oct 7 10:43:36 localhost packetfence_httpd.portal: httpd.portal(2611) INFO:
[mac:0] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:36 localhost packetfence_httpd.portal: httpd.portal(2611) WARN:
[mac:0] Use of uninitialized value in string ne at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line
146.
(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Oct 7 10:43:36 localhost pfqueue: pfqueue(2276) ERROR: [mac:unknown] Unable to
fetch query arguments for Fingerbank query. Aborting. (pf::fingerbank::process)
Oct 7 10:43:36 localhost packetfence_httpd.portal: httpd.portal(2611) INFO:
[mac:0] [00:24:d6:5b:30:bc] Activation code sent to email lscaringe...@ydn.co
from louis.scaringe...@gmail.com successfully verified. for activation type:
sponsor (pf::activation::validate_code)
Oct 7 10:43:36 localhost packetfence_httpd.portal: httpd.portal(2611) INFO:
[mac:0] Realm source is part of the connection profile sources. Using it as the
only auth source.
(captiveportal::PacketFence::Controller::Authenticate::getSources)
Oct 7 10:43:36 localhost packetfence_httpd.portal: httpd.portal(2610) WARN:
[mac:unknown] Unable to match MAC address to IP '198.18.101.1'
(pf::ip4log::ip2mac)
Oct 7 10:43:36 localhost packetfence_httpd.portal: httpd.portal(2610) WARN:
[mac:0] Unable to match MAC address to IP '198.18.101.1' (pf::ip4log::ip2mac)
Oct 7 10:43:36 localhost packetfence_httpd.portal: httpd.portal(2610) WARN:
[mac:0] Use of uninitialized value in string ne at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line
146.
(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Oct 7 10:43:36 localhost pfqueue: pfqueue(2275) ERROR: [mac:unknown] Unable to
fetch query arguments for Fingerbank query. Aborting. (pf::fingerbank::process)
Oct 7 10:43:39 localhost packetfence_httpd.portal: httpd.portal(2610) WARN:
[mac:unknown] Unable to match MAC address to IP '198.18.101.1'
(pf::ip4log::ip2mac)
Oct 7 10:43:39 localhost packetfence_httpd.portal: httpd.portal(2610) WARN:
[mac:0] Unable to match MAC address to IP '198.18.101.1' (pf::ip4log::ip2mac)
Oct 7 10:43:39 localhost packetfence_httpd.portal: httpd.portal(2610) INFO:
[mac:0] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:39 localhost packetfence_httpd.portal: httpd.portal(2610) WARN:
[mac:0] Use of uninitialized value in string ne at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line
146.
(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Oct 7 10:43:39 localhost pfqueue: pfqueue(2277) ERROR: [mac:unknown] Unable to
fetch query arguments for Fingerbank query. Aborting. (pf::fingerbank::process)
Oct 7 10:43:39 localhost packetfence_httpd.portal: httpd.portal(2610) INFO:
[mac:0] [00:24:d6:5b:30:bc] Activation code sent to email lscaringe...@ydn.co
from louis.scaringe...@gmail.com successfully verified. for activation type:
sponsor (pf::activation::validate_code)
Oct 7 10:43:39 localhost packetfence_httpd.portal: httpd.portal(2610) INFO:
[mac:0] Realm source is part of the connection profile sources. Using it as the
only auth source.
(captiveportal::PacketFence::Controller::Authenticate::getSources)
Oct 7 10:43:40 localhost packetfence_httpd.portal: httpd.portal(2612) WARN:
[mac:unknown] Unable to match MAC address to IP '198.18.101.1'
(pf::ip4log::ip2mac)
Oct 7 10:43:40 localhost packetfence_httpd.portal: httpd.portal(2612) WARN:
[mac:0] Unable to match MAC address to IP '198.18.101.1' (pf::ip4log::ip2mac)
Oct 7 10:43:40 localhost packetfence_httpd.portal: httpd.portal(2612) WARN:
[mac:0] Use of uninitialized value in string ne at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm line
146.
(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Oct 7 10:43:40 localhost pfqueue: pfqueue(2280) ERROR: [mac:unknown] Unable to
fetch query arguments for Fingerbank query. Aborting. (pf::fingerbank::process)
Oct 7 10:43:40 localhost packetfence_httpd.portal: httpd.portal(2611) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Oct 7 10:43:45 localhost packetfence_httpd.portal: httpd.portal(2613) INFO:
[mac:00:24:d6:5b:30:bc] Instantiate profile Lab-Aruba-OpenGuest-copy
(pf::Connection::ProfileFactory::_from_profile)
Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903
On Oct 7, 2020, at 8:15 AM, Fabrice Durand via PacketFence-users
<packetfence-users@lists.sourceforge.net> wrote:
Hello Louis,
you will need to check in the packetfence.log what authentication source is
used when you log on the portal (to validate the access).
Regards
Fabrice
Le 20-10-06 à 21 h 47, Louis Scaringella via PacketFence-users a écrit :
I made some progress with this. I can now progress past the sponsor email section
and it accepts it. The sponsor gets the email, clicks the link, I login with the
sponsor account, but then it says "does not have permission to sponsor a user”.
Any ideas now?
Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903
On Oct 6, 2020, at 7:51 PM, Louis Scaringella
<lscaringe...@yellowdognetworks.com> wrote:
The exact message is :
Email [myem...@mydomain.com] is not allowed to sponsor guest access.
When I run the following test, it matches my authentication source which has
this marked as a sponsor.
[root@localhost bin]# ./pftest authentication lscaringe...@ydn.co xxxxxxxxxx
Testing authentication for "lscaringe...@ydn.co"
Authenticating against 'local' in context 'admin'
Authentication SUCCEEDED against local (Authentication successful.)
Matched against local for 'authentication' rule default
set_access_level : ALL
set_unreg_date : 0000-00-00 00:00:00
set_tenant_id : 1
Matched against local for 'administration' rule default
set_access_level : ALL
set_unreg_date : 0000-00-00 00:00:00
set_tenant_id : 1
Authenticating against 'local' in context 'portal'
Authentication SUCCEEDED against local (Authentication successful.)
Matched against local for 'authentication' rule default
set_access_level : ALL
set_unreg_date : 0000-00-00 00:00:00
set_tenant_id : 1
Matched against local for 'administration' rule default
set_access_level : ALL
set_unreg_date : 0000-00-00 00:00:00
set_tenant_id : 1
Authenticating against 'file1' in context 'admin'
Authentication SUCCEEDED against file1 (Authentication successful.)
Did not match against file1 for 'authentication' rules
Matched against file1 for 'administration' rule admins
set_access_level : ALL
mark_as_sponsor : 1
Authenticating against 'file1' in context 'portal'
Authentication SUCCEEDED against file1 (Authentication successful.)
Did not match against file1 for 'authentication' rules
Matched against file1 for 'administration' rule admins
set_access_level : ALL
mark_as_sponsor : 1
Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903
On Oct 6, 2020, at 6:46 PM, Louis Scaringella
<lscaringe...@yellowdognetworks.com> wrote:
Hello,
I’m having an issue with the captive portal with sponsored guest access.
Basically, when I go to test this and enter a sponsor email, it tells me that
email doesn’t have access to be a sponsor. Unfortunately, there isn’t great
documentation on this process and the other posts about this are years old.
Any ideas?
Louis Scaringella
Security Systems Engineer
Yellow Dog Networks, Inc
785-342-7903
The information transmitted, including any attachments, is intended only for
the person or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of, or taking of any action in reliance upon, this information by persons
or entities other than the intended recipient is prohibited, and all liability
arising therefrom is disclaimed. If you received this in error, please contact
the sender and delete the material from any computer.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
The information transmitted, including any attachments, is intended only for
the person or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of, or taking of any action in reliance upon, this information by persons
or entities other than the intended recipient is prohibited, and all liability
arising therefrom is disclaimed. If you received this in error, please contact
the sender and delete the material from any computer.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
The information transmitted, including any attachments, is intended only for
the person or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of, or taking of any action in reliance upon, this information by persons
or entities other than the intended recipient is prohibited, and all liability
arising therefrom is disclaimed. If you received this in error, please contact
the sender and delete the material from any computer.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
The information transmitted, including any attachments, is intended only for
the person or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of, or taking of any action in reliance upon, this information by persons
or entities other than the intended recipient is prohibited, and all liability
arising therefrom is disclaimed. If you received this in error, please contact
the sender and delete the material from any computer.
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
The information transmitted, including any attachments, is intended only for
the person or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of, or taking of any action in reliance upon, this information by persons
or entities other than the intended recipient is prohibited, and all liability
arising therefrom is disclaimed. If you received this in error, please contact
the sender and delete the material from any computer.
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
