Remove the realm config in your AD source NNGAuthSource Leave it to empty, the realm selection would be dynamic.
Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Mar 29, 2021, at 10:00 AM, Joel Rodriguez <[email protected]> > wrote: > > Hi Ludovic, > > This is the pftest again. I have attached the requested files. Thanks again!! > > <image.png> > > > On Fri, Mar 26, 2021 at 6:38 PM Ludovic Zammit <[email protected] > <mailto:[email protected]>> wrote: > Do the pftest again. > > It does not match the rule. > > Send me the conf/authentication.conf conf/profiles.conf and conf/realm.conf > > Thanks, > >> On Mar 26, 2021, at 6:25 PM, Joel Rodriguez <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> Hi Ludovic, >> >> Tested after making that change. >> >> Here is the new authentication rule: >> <image.png> >> >> It is still not sending back the VLAN (aaa override is enabled on the WLC), >> and client devices are getting authenticated into the wireless even if my >> authentication rule does not match. It seems that no matter what I do >> nothing seems to make it work. We are trying to test this in a lab >> environment and the plan is to roll it out to our customers, with the >> appropriate support plan from PacketFence. >> >> Why is the file1 source matched below?Is that normal? Any other ideas or >> suggestions? At the end all we want is to authenticate against Active >> Directory and based on group membership assign a specific vlan. Does that >> make sense? Thanks Ludovic for your help. >> >> This is the output of grep -i 56:59:f8:36:e1:55 >> /usr/local/pf/logs/packetfence.log >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Unable >> to extract audit-session-id of Cisco-AVPair: service-type=Framed >> (pf::Switch::getCiscoAvPairAttribute) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] >> handling radius autz request: from switch_ip => (172.16.99.99), >> connection_type => Wireless-802.11-EAP,switch_mac => (2c:f8:9b:9d:5f:60), >> mac => [56:59:f8:36:e1:55], port => 5, username => "test", ssid => >> Rodriguez-EWC (pf::radius::authorize) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] >> Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Found >> authentication source(s) : 'file1' for realm 'null' >> (pf::config::util::filter_authentication_sources) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Using >> sources file1 for matching (pf::authentication::match2) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] No >> rules matches or no category defined for the node, set it as unreg. >> (pf::role::getNodeInfoForAutoReg) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] No >> category computed for autoreg (pf::role::getNodeInfoForAutoReg) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Found >> authentication source(s) : 'file1' for realm 'null' >> (pf::config::util::filter_authentication_sources) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] Role >> has already been computed and we don't want to recompute it. Getting role >> from node_info (pf::role::getRegisteredRole) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use of >> uninitialized value $role in concatenation (.) or string at >> /usr/local/pf/lib/pf/role.pm <http://role.pm/> line 489. >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] >> Username was NOT defined or unable to match a role - returning node based >> role '' (pf::role::getRegisteredRole) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] PID: >> "test", Status: reg Returned VLAN: (undefined), Role: (undefined) >> (pf::role::fetchRoleForNode) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use of >> uninitialized value $vlanName in hash element at >> /usr/local/pf/lib/pf/Switch.pm line 609. >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use of >> uninitialized value $vlanName in concatenation (.) or string at >> /usr/local/pf/lib/pf/Switch.pm line 612. >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] No >> parameter Vlan found in conf/switches.conf for the switch 172.16.99.99 >> (pf::Switch::getVlanByName) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use of >> uninitialized value $roleName in hash element at >> /usr/local/pf/lib/pf/Switch.pm line 592. >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) WARN: [mac:56:59:f8:36:e1:55] Use of >> uninitialized value $roleName in concatenation (.) or string at >> /usr/local/pf/lib/pf/Switch.pm line 595. >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] >> security_event 1300003 force-closed for 56:59:f8:36:e1:55 >> (pf::security_event::security_event_force_close) >> /usr/local/pf/logs/packetfence.log:Mar 26 22:13:39 packetfence >> packetfence_httpd.aaa: httpd.aaa(14887) INFO: [mac:56:59:f8:36:e1:55] >> Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) >> >> On Fri, Mar 26, 2021 at 3:30 PM Ludovic Zammit <[email protected] >> <mailto:[email protected]>> wrote: >> Hello Joel, >> >> The rule is wrong, it’s not the attribute distinguishedName but memberof. >> >> Do: memberof equals CN=vlan100…... >> >> Change it and re-test, it should work. >> >> Thanks, >> >> Ludovic Zammit >> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: >> www.inverse.ca <https://www.inverse.ca/> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >> <http://packetfence.org/>) >> >> >> >> >> >> >> >>> On Mar 25, 2021, at 8:14 AM, Joel Rodriguez <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Ludovic, >>> >>> test user is an Active Directory user that is in the vlan100 AD group. I >>> want to authenticate against AD. >>> This is the authentication rule. >>> <image.png> >>> >>> and output >>> >>> <image.png> >>> >>> On Thu, Mar 25, 2021 at 8:09 AM Ludovic Zammit <[email protected] >>> <mailto:[email protected]>> wrote: >>> Where do you want to authenticate your test user? >>> >>> Where did you create it? >>> >>> Thanks, >>> >>> Ludovic Zammit >>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>> :: www.inverse.ca <https://www.inverse.ca/> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>> <http://packetfence.org/>) >>> >>> >>> >>> >>> >>> >>> >>>> On Mar 24, 2021, at 4:19 PM, Joel Rodriguez <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hi Ludovic, >>>> >>>> This is the output. >>>> >>>> <image.png> >>>> >>>> On Tue, Mar 23, 2021 at 1:40 PM Ludovic Zammit <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> Hello Joel, >>>> >>>> That output tells me that your node / username did not match any rule in >>>> any source. >>>> >>>> Do that and show me the result: >>>> >>>> grep -i MAC_ADDRESS /usr/local/pf/logs/packetfence.log >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>>> :: www.inverse.ca <https://www.inverse.ca/> >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>> <http://packetfence.org/>) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Mar 23, 2021, at 1:33 PM, Joel Rodriguez <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Ludovic can you help with my question below. Also this is the entire >>>>> output as you can see in the RADIUS reply I do not see where PacketFence >>>>> is sending back the VLAN. >>>>> >>>>> I am having an issue where I have a rule successfully match and is based >>>>> on AD Group however even if the account used on the device is not on the >>>>> correct AD Group it still successfully authenticate. I believe this is >>>>> more of an AAA override issue is there anywhere on Packetfence where I >>>>> can see if Packetfence is sending back the vlan assignment? All i see in >>>>> the log is successful authentication nothing indicating it sent back a >>>>> vlan override. Thank you in advance for your help. >>>>> >>>>> Request Time >>>>> 0 >>>>> RADIUS Request >>>>> User-Name = "test" >>>>> NAS-IP-Address = 172.16.99.99 >>>>> NAS-Port = 5 >>>>> Service-Type = Framed-User >>>>> Framed-IP-Address = 172.16.100.174 >>>>> Framed-MTU = 1485 >>>>> State = 0x5ce103c05de81912a6fe102bc6c3d43e >>>>> Called-Station-Id = "2c:21:21:9d:5f:60:Rdz-EWC >>>>> Calling-Station-Id = "56:59:f8:36:e1:55" >>>>> NAS-Identifier = "WLC2CF8.9B15.6E14" >>>>> NAS-Port-Type = Wireless-802.11 >>>>> Event-Timestamp = "Mar 16 2021 08:59:38 EDT" >>>>> EAP-Message = 0x020900061a03 >>>>> NAS-Port-Id = "capwap_90000004" >>>>> Airespace-Wlan-Id = 1 >>>>> Cisco-AVPair = "service-type=Framed" >>>>> Cisco-AVPair = "audit-session-id=636310AC0000004094F18357" >>>>> Cisco-AVPair = "method=dot1x" >>>>> Cisco-AVPair = "addrv6=fe80::1ca6:189c:65f4:5770" >>>>> Cisco-AVPair = "client-iif-id=469767067" >>>>> Cisco-AVPair = "vlan-id=100" >>>>> Cisco-AVPair = "cisco-wlan-ssid=Rdz-EWC" >>>>> Cisco-AVPair = "wlan-profile-name=Rdz-EWC" >>>>> FreeRADIUS-Proxied-To = 127.0.0.1 >>>>> EAP-Type = MSCHAPv2 >>>>> Stripped-User-Name = "test" >>>>> Realm = "null" >>>>> Called-Station-SSID = "Rdz-EWC" >>>>> PacketFence-Domain = "NNGDomain" >>>>> PacketFence-KeyBalanced = "6d5099cbb3bd042f6788696b2f8e2bfc" >>>>> PacketFence-Radius-Ip = "172.16.100.95" >>>>> PacketFence-NTLMv2-Only = "" >>>>> PacketFence-Outer-User = "test" >>>>> User-Password = "******" >>>>> SQL-User-Name = "test" >>>>> RADIUS Reply >>>>> EAP-Message = 0x03090004 >>>>> Message-Authenticator = 0x00000000000000000000000000000000 >>>>> User-Name = "test" >>>>> >>>>> ---------- Forwarded message --------- >>>>> From: Joel Rodriguez <[email protected] >>>>> <mailto:[email protected]>> >>>>> Date: Tue, Mar 16, 2021 at 10:13 AM >>>>> Subject: VLAN Override Issue >>>>> To: <[email protected] >>>>> <mailto:[email protected]>> >>>>> >>>>> >>>> >>> >> > <realm.conf><profiles.conf><authentication.conf>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
