Hello Joel, The rule is wrong, it’s not the attribute distinguishedName but memberof.
Do: memberof equals CN=vlan100…... Change it and re-test, it should work. Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Mar 25, 2021, at 8:14 AM, Joel Rodriguez <[email protected]> > wrote: > > Ludovic, > > test user is an Active Directory user that is in the vlan100 AD group. I want > to authenticate against AD. > This is the authentication rule. > <image.png> > > and output > > <image.png> > > On Thu, Mar 25, 2021 at 8:09 AM Ludovic Zammit <[email protected] > <mailto:[email protected]>> wrote: > Where do you want to authenticate your test user? > > Where did you create it? > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <https://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > >> On Mar 24, 2021, at 4:19 PM, Joel Rodriguez <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Ludovic, >> >> This is the output. >> >> <image.png> >> >> On Tue, Mar 23, 2021 at 1:40 PM Ludovic Zammit <[email protected] >> <mailto:[email protected]>> wrote: >> Hello Joel, >> >> That output tells me that your node / username did not match any rule in any >> source. >> >> Do that and show me the result: >> >> grep -i MAC_ADDRESS /usr/local/pf/logs/packetfence.log >> >> Thanks, >> >> Ludovic Zammit >> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: >> www.inverse.ca <https://www.inverse.ca/> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >> <http://packetfence.org/>) >> >> >> >> >> >> >> >>> On Mar 23, 2021, at 1:33 PM, Joel Rodriguez <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Ludovic can you help with my question below. Also this is the entire >>> output as you can see in the RADIUS reply I do not see where PacketFence is >>> sending back the VLAN. >>> >>> I am having an issue where I have a rule successfully match and is based >>> on AD Group however even if the account used on the device is not on the >>> correct AD Group it still successfully authenticate. I believe this is more >>> of an AAA override issue is there anywhere on Packetfence where I can see >>> if Packetfence is sending back the vlan assignment? All i see in the log is >>> successful authentication nothing indicating it sent back a vlan override. >>> Thank you in advance for your help. >>> >>> Request Time >>> 0 >>> RADIUS Request >>> User-Name = "test" >>> NAS-IP-Address = 172.16.99.99 >>> NAS-Port = 5 >>> Service-Type = Framed-User >>> Framed-IP-Address = 172.16.100.174 >>> Framed-MTU = 1485 >>> State = 0x5ce103c05de81912a6fe102bc6c3d43e >>> Called-Station-Id = "2c:21:21:9d:5f:60:Rdz-EWC >>> Calling-Station-Id = "56:59:f8:36:e1:55" >>> NAS-Identifier = "WLC2CF8.9B15.6E14" >>> NAS-Port-Type = Wireless-802.11 >>> Event-Timestamp = "Mar 16 2021 08:59:38 EDT" >>> EAP-Message = 0x020900061a03 >>> NAS-Port-Id = "capwap_90000004" >>> Airespace-Wlan-Id = 1 >>> Cisco-AVPair = "service-type=Framed" >>> Cisco-AVPair = "audit-session-id=636310AC0000004094F18357" >>> Cisco-AVPair = "method=dot1x" >>> Cisco-AVPair = "addrv6=fe80::1ca6:189c:65f4:5770" >>> Cisco-AVPair = "client-iif-id=469767067" >>> Cisco-AVPair = "vlan-id=100" >>> Cisco-AVPair = "cisco-wlan-ssid=Rdz-EWC" >>> Cisco-AVPair = "wlan-profile-name=Rdz-EWC" >>> FreeRADIUS-Proxied-To = 127.0.0.1 >>> EAP-Type = MSCHAPv2 >>> Stripped-User-Name = "test" >>> Realm = "null" >>> Called-Station-SSID = "Rdz-EWC" >>> PacketFence-Domain = "NNGDomain" >>> PacketFence-KeyBalanced = "6d5099cbb3bd042f6788696b2f8e2bfc" >>> PacketFence-Radius-Ip = "172.16.100.95" >>> PacketFence-NTLMv2-Only = "" >>> PacketFence-Outer-User = "test" >>> User-Password = "******" >>> SQL-User-Name = "test" >>> RADIUS Reply >>> EAP-Message = 0x03090004 >>> Message-Authenticator = 0x00000000000000000000000000000000 >>> User-Name = "test" >>> >>> ---------- Forwarded message --------- >>> From: Joel Rodriguez <[email protected] >>> <mailto:[email protected]>> >>> Date: Tue, Mar 16, 2021 at 10:13 AM >>> Subject: VLAN Override Issue >>> To: <[email protected] >>> <mailto:[email protected]>> >>> >>> >> >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
