Send your conf/profiles.conf Thanks,
Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Apr 9, 2021, at 9:41 AM, Heusler Marie-Cécile > <marie-cecile.heus...@divtec.ch> wrote: > > Ok but as you have seen here, here are the logs I have. The node does not get > the registration role : > > > > > > >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>>>> [mac:2c:44:fd:65:ab:27] handling radius autz request: from switch_ip => >>>>> (192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => >>>>> (00:16:b9:0b:37:0d), mac => [2c:44:fd:65:ab:27], port => 19, username => >>>>> "2c44fd65ab27" (pf::radius::authorize) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>>>> [mac:2c:44:fd:65:ab:27] Instantiate profile default >>>>> (pf::Connection::ProfileFactory::_from_profile) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>>>> [mac:2c:44:fd:65:ab:27] Match rule Email-on-role (pf::access_filter::test) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>>>> [mac:2c:44:fd:65:ab:27] Found authentication source(s) : >>>>> 'local,file1,MonDomaine' for realm 'null' >>>>> (pf::config::util::filter_authentication_sources) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) WARN: >>>>> [mac:2c:44:fd:65:ab:27] No category computed for autoreg >>>>> (pf::role::getNodeInfoForAutoReg) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) WARN: >>>>> [mac:2c:44:fd:65:ab:27] No role specified or found for pid 2c44fd65ab27 >>>>> (MAC 2c:44:fd:65:ab:27); assume maximum number of registered nodes is >>>>> reached (pf::node::is_max_reg_nodes_reached) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) ERROR: >>>>> [mac:2c:44:fd:65:ab:27] no role computed by any sources - registration of >>>>> 2c:44:fd:65:ab:27 to 2c44fd65ab27 failed >>>>> (pf::registration::setup_node_for_registration) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) ERROR: >>>>> [mac:2c:44:fd:65:ab:27] auto-registration of node failed no role computed >>>>> by any sources (pf::radius::authorize) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.webservices: >>>>> httpd.webservices(1907) WARN: [mac:2c:44:fd:65:ab:27] Unable to pull >>>>> accounting history for device 2c:44:fd:65:ab:27. The history set doesn't >>>>> exist yet. (pf::accounting_events_history::latest_mac_history) > > > > > > > > > > De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> > Envoyé : vendredi, 9 avril 2021 15:39 > À : Heusler Marie-Cécile > Cc : packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > Objet : Re: VLAN for rejected machine > > Set the VLAN 2 for the registration and it would do what you want. > > > Thanks, > > Ludovic Zammit > lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: > www.inverse.ca <https://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > >> On Apr 9, 2021, at 8:50 AM, Heusler Marie-Cécile >> <marie-cecile.heus...@divtec.ch <mailto:marie-cecile.heus...@divtec.ch>> >> wrote: >> >> Ok, but I don't want the guests to be able to register and access the >> network, I just don't want them to access anything, I just want them to be >> in vlan2. I don't know these guests in advance, it could be someone outside >> the company who plugs their computer into a switch for example. I want them >> to enter vlan2, isolated. >> >> Thank you very much for all your answers. >> >> >> >> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >> Envoyé : vendredi, 9 avril 2021 14:47 >> À : Heusler Marie-Cécile >> Cc : packetfence-users@lists.sourceforge.net >> <mailto:packetfence-users@lists.sourceforge.net> >> Objet : Re: VLAN for rejected machine >> >> The sources are displayed on the captive portal with the registration VLAN. >> >> No registration VLAN, no captive portal, no guest registration. >> >> If you want your guests to get connected on the network, you will need to >> import all the Mac address in PacketFence using a CSV import under Node. Yes >> they will use Mac authentication. >> >> Thanks, >> >> Ludovic Zammit >> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: >> www.inverse.ca <https://www.inverse.ca/> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >> <http://packetfence.org/>) >> >> >> >> >> >> >> >>> On Apr 9, 2021, at 8:43 AM, Heusler Marie-Cécile >>> <marie-cecile.heus...@divtec.ch <mailto:marie-cecile.heus...@divtec.ch>> >>> wrote: >>> >>> >>> Thank you very much for these explanations. >>> >>> As I understand, I still need to create an authentication source for guests >>> using mac authentication, they are not automatically put in the >>> registration VLAN if they are not authenticated with 802.1X >>> >>> >>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>> Envoyé : vendredi, 9 avril 2021 14:34 >>> À : Heusler Marie-Cécile >>> Cc : packetfence-users@lists.sourceforge.net >>> <mailto:packetfence-users@lists.sourceforge.net> >>> Objet : Re: VLAN for rejected machine >>> >>> Ok, let me show a basic workflow for Wireless and it work almost the same >>> for wired authentication: >>> >>> Here is the diagram showing the interaction between PacketFence, the >>> endpoint, the AP and the WLAN controller: >>> >>> <Mail Attachment.png> >>> >>> User initiates association to WLAN AP and transmits MAC address. If user >>> accesses network via a registered device in PacketFence go to 8 >>> The WLAN controller transmits MAC address via RADIUS to the PacketFence >>> server to authenticate/authorize that MAC address on the AP >>> PacketFence server conducts address audit in its database. If it does not >>> recognize the MAC address go to 4. If it does go to 8. >>> PacketFence server directs WLAN controller via RADIUS (RFC2868 attributes) >>> to put the device in an "unauthenticated role“ (set of ACLs that would >>> limit/redirect the user to the PacketFence captive portal for registration, >>> or we can also use a registration VLAN in which PacketFence does DNS >>> blackholing and is the DHCP server) >>> The user's device issues a DHCP/DNS request to PacketFence (which is a >>> DHCP/DNS server on this VLAN or for this role) which sends the IP and DNS >>> information. At this point, ACLs are limiting/redirecting the user to the >>> PacketFence's captive portal for authentication. PacketFence fingerprints >>> the device (user-agent attributes, DHCP information & MAC address patterns) >>> to which it can take various actions including: keep device on >>> registration portal, direct to alternate captive portal, auto-register the >>> device, auto-block the device, etc. If the device remains on the >>> registration portal the user registers by providing the information >>> (username/password, cell phone number, etc.). At this time PacketFence >>> could also require the device to go through a posture assessment (using >>> Nessus, OpenVAS, etc.) >>> If authentication is required (username/password) through a login form, >>> those credentials are validated via the Directory server (or any other >>> authentication sources - like LDAP, SQL, RADIUS, SMS, Facebook, Google+, >>> etc.) which provides user attributes to PacketFence which creates >>> user+device policy profile in its database. >>> PacketFence performs a Change of Authorization (RFC3576) on the controller >>> and the user must be re-authenticated/reauthorized, so we go back to 1 >>> PacketFence server directs WLAN controller via RADIUS to put the device in >>> an "authenticated role“, or in the "normal” VLAN >>> >>> Then in a normal deployment you would have one secured SSID with 802.1x EAP >>> PEAP and one open captive portal SSID using MAC authentication. >>> >>> The secure SSID is to authenticate corporate device like domain join >>> computer, users that own AD credentials. It require a configuration on the >>> devices to instruct them to push or ask a username password or even a >>> computer account. >>> >>> The open SSID is to authenticate guest users on a captive portal using Mac >>> authentication. You can use the VLAN enforcement to redirect then into a >>> VLAN (Registration) that PacketFence manages 100% (most cases not routed, >>> DHCP, DNS and gateway) or you can use the Web Authentication method if the >>> equipment supports it. On that Guest portal, you can authenticate the guest >>> with many different source of authentication, the most used are the Email >>> registration and the SMS registration. You could mixte them up like Guest >>> type (SMS + Email) + Login type (AD). >>> >>> You can’t mixte up the method of authentication on wireless. >>> >>> Secure SSID = WPA2 Enterprise 802.1x EAP PEAP (or EAP TLS) without captive >>> portal (Auto-registration) >>> Open SSID = Open no encryption RADIUS Mac authentication with a captive >>> portal >>> >>> On the wired, you can have 802.1x then Mac authentication configured on a >>> switch port. The Mac authentication configured that way will engage most >>> likely 30 seconds after if the computer does not push a 802.1x identity. In >>> that case that where you authenticate you guest wired. You should redirect >>> them into the PF registration VLAN to show them the captive portal. In some >>> cases, you want to have your Mac authentication users to be drop directly >>> into a production VLAN without doing anything to give them directly access >>> on the network for a roll out for example. >>> >>> I hope it makes it clearer. >>> >>> Thanks, >>> >>> Ludovic Zammit >>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) >>> :: www.inverse.ca <https://www.inverse.ca/> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>> <http://packetfence.org/>) >>> >>> >>> >>> >>> >>> >>> >>>> On Apr 9, 2021, at 8:17 AM, Heusler Marie-Cécile >>>> <marie-cecile.heus...@divtec.ch <mailto:marie-cecile.heus...@divtec.ch>> >>>> wrote: >>>> >>>> >>>> But which source should the non-domain items use? >>>> vlan id2 is assigned to the registration role on the switch >>>> >>>> >>>> <pastedImage.png> >>>> <pastedImage.png> >>>> <pastedImage.png> >>>> <pastedImage.png> >>>> <pastedImage.png> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>> Envoyé : vendredi, 9 avril 2021 13:53 >>>> À : Heusler Marie-Cécile >>>> Cc : packetfence-users@lists.sourceforge.net >>>> <mailto:packetfence-users@lists.sourceforge.net> >>>> Objet : Re: VLAN for rejected machine >>>> >>>> Hello, >>>> >>>> Show me the conf/authentication.conf >>>> >>>> You are defiantly registering that device with source where the rule is >>>> not well configured. >>>> >>>> On each rule, you need to return a Access Duration / Unregistration date >>>> and a Role. >>>> >>>> The Role need to be configured with the VLAN ID on the switch config. >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) >>>> :: www.inverse.ca <https://www.inverse.ca/> >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>> <http://packetfence.org/>) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Apr 9, 2021, at 12:22 AM, Heusler Marie-Cécile >>>>> <marie-cecile.heus...@divtec.ch <mailto:marie-cecile.heus...@divtec.ch>> >>>>> wrote: >>>>> >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>>>> [mac:2c:44:fd:65:ab:27] handling radius autz request: from switch_ip => >>>>> (192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => >>>>> (00:16:b9:0b:37:0d), mac => [2c:44:fd:65:ab:27], port => 19, username => >>>>> "2c44fd65ab27" (pf::radius::authorize) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>>>> [mac:2c:44:fd:65:ab:27] Instantiate profile default >>>>> (pf::Connection::ProfileFactory::_from_profile) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>>>> [mac:2c:44:fd:65:ab:27] Match rule Email-on-role (pf::access_filter::test) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>>>> [mac:2c:44:fd:65:ab:27] Found authentication source(s) : >>>>> 'local,file1,MonDomaine' for realm 'null' >>>>> (pf::config::util::filter_authentication_sources) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) WARN: >>>>> [mac:2c:44:fd:65:ab:27] No category computed for autoreg >>>>> (pf::role::getNodeInfoForAutoReg) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) WARN: >>>>> [mac:2c:44:fd:65:ab:27] No role specified or found for pid 2c44fd65ab27 >>>>> (MAC 2c:44:fd:65:ab:27); assume maximum number of registered nodes is >>>>> reached (pf::node::is_max_reg_nodes_reached) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) ERROR: >>>>> [mac:2c:44:fd:65:ab:27] no role computed by any sources - registration of >>>>> 2c:44:fd:65:ab:27 to 2c44fd65ab27 failed >>>>> (pf::registration::setup_node_for_registration) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) ERROR: >>>>> [mac:2c:44:fd:65:ab:27] auto-registration of node failed no role computed >>>>> by any sources (pf::radius::authorize) >>>>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.webservices: >>>>> httpd.webservices(1907) WARN: [mac:2c:44:fd:65:ab:27] Unable to pull >>>>> accounting history for device 2c:44:fd:65:ab:27. The history set doesn't >>>>> exist yet. (pf::accounting_events_history::latest_mac_history) >>>>> >>>>> >>>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>>> Envoyé : jeudi, 8 avril 2021 18:32 >>>>> À : Heusler Marie-Cécile >>>>> Cc : packetfence-users@lists.sourceforge.net >>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>> Objet : Re: VLAN for rejected machine >>>>> >>>>> Unregister your device and give the output of: >>>>> >>>>> grep 2c:44:fd:65:ab:27 /usr/local/pf/logs/packetfence.log >>>>> >>>>> Thanks, >>>>> >>>>> Ludovic Zammit >>>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) >>>>> :: www.inverse.ca <https://www.inverse.ca/> >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>> <http://packetfence.org/>) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Apr 8, 2021, at 12:03 PM, Heusler Marie-Cécile >>>>>> <marie-cecile.heus...@divtec.ch <mailto:marie-cecile.heus...@divtec.ch>> >>>>>> wrote: >>>>>> >>>>>> So it's weird, because here are my logs when I connect an off-domain >>>>>> machine : >>>>>> >>>>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: [mac:2c:44:fd:65:ab:27] Rejected >>>>>> user: 2c44fd65ab27 >>>>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Rejected in post-auth: >>>>>> [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli >>>>>> 2c:44:fd:65:ab:27) >>>>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Incorrect login: >>>>>> [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli >>>>>> 2c:44:fd:65:ab:27) >>>>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: [mac:2c:44:fd:65:ab:27] Rejected >>>>>> user: 2c44fd65ab27 >>>>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Rejected in post-auth: >>>>>> [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli >>>>>> 2c:44:fd:65:ab:27) >>>>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Incorrect login: >>>>>> [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli >>>>>> 2c:44:fd:65:ab:27) >>>>>> >>>>>> And I get the message 'no role computed by any source >>>>>> >>>>>> >>>>>> However, if I create a 'null' source and create a profile with the >>>>>> filter "ethernet no-eap" and my null source, it works. >>>>>> >>>>>> >>>>>> >>>>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>>>> Envoyé : jeudi, 8 avril 2021 17:56 >>>>>> À : Heusler Marie-Cécile >>>>>> Cc : packetfence-users@lists.sourceforge.net >>>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>>> Objet : Re: VLAN for rejected machine >>>>>> >>>>>> No, it’s a default behavior, they will be put in VLAN 2 if they are >>>>>> unregistered. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ludovic Zammit >>>>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 >>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>> <http://packetfence.org/>) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Apr 8, 2021, at 10:25 AM, Heusler Marie-Cécile >>>>>>> <marie-cecile.heus...@divtec.ch >>>>>>> <mailto:marie-cecile.heus...@divtec.ch>> wrote: >>>>>>> >>>>>>> That's what I did, but do I have to create a specific source for that, >>>>>>> and a profile ? >>>>>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>>>>> Envoyé : jeudi, 8 avril 2021 16:11:59 >>>>>>> À : Heusler Marie-Cécile >>>>>>> Cc : packetfence-users@lists.sourceforge.net >>>>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>>>> Objet : Re: VLAN for rejected machine >>>>>>> >>>>>>> Ok so put VLAN 2 as the registration VLAN in your switch configuration >>>>>>> under Configuration > Policies and Access Control > Switches > Switch >>>>>>> IP > Roles > Registration -> 2 >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 >>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>> <http://packetfence.org/>) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Apr 8, 2021, at 9:48 AM, Heusler Marie-Cécile >>>>>>>> <marie-cecile.heus...@divtec.ch >>>>>>>> <mailto:marie-cecile.heus...@divtec.ch>> wrote: >>>>>>>> >>>>>>>> Not really. I just want that devices who don't match with my AD source >>>>>>>> go to the VLAN2 and can do nothing. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>>>>>> Envoyé : jeudi, 8 avril 2021 15:29 >>>>>>>> À : Heusler Marie-Cécile >>>>>>>> Cc : packetfence-users@lists.sourceforge.net >>>>>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>>>>> Objet : Re: VLAN for rejected machine >>>>>>>> >>>>>>>> Is this the registration VLAN ? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Ludovic Zammit >>>>>>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 >>>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>>> <http://packetfence.org/>) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Apr 8, 2021, at 8:12 AM, Heusler Marie-Cécile >>>>>>>>> <marie-cecile.heus...@divtec.ch >>>>>>>>> <mailto:marie-cecile.heus...@divtec.ch>> wrote: >>>>>>>>> >>>>>>>>> For the time being, VLAN2 simply serves as an isolation VLAN. The >>>>>>>>> workstations should not access anything from this VLAN. >>>>>>>>> >>>>>>>>> >>>>>>>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>>>>>>> Envoyé : jeudi, 8 avril 2021 13:33 >>>>>>>>> À : Heusler Marie-Cécile >>>>>>>>> Cc : packetfence-users@lists.sourceforge.net >>>>>>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>>>>>> Objet : Re: VLAN for rejected machine >>>>>>>>> >>>>>>>>> What’s the VLAN 2 and his purpose? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Ludovic Zammit >>>>>>>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 >>>>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>>>> <http://packetfence.org/>) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Apr 8, 2021, at 1:38 AM, Heusler Marie-Cécile >>>>>>>>>> <marie-cecile.heus...@divtec.ch >>>>>>>>>> <mailto:marie-cecile.heus...@divtec.ch>> wrote: >>>>>>>>>> >>>>>>>>>> The devices are, for example, laptops that are not part of the >>>>>>>>>> domain. I want them to enter VLAN2, but I don't know them in advance. >>>>>>>>>> >>>>>>>>>> Where do I specify that I want them to be in VLAN2, without their >>>>>>>>>> login failing with my AD source? >>>>>>>>>> >>>>>>>>>> What I've tried to do so far is to create a second Authorization >>>>>>>>>> source, and a new profile that uses that source. I don't know if >>>>>>>>>> this is correct. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <pastedImage.png> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <pastedImage.png> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>>>>>>>> Envoyé : mercredi, 7 avril 2021 13:53:40 >>>>>>>>>> À : Heusler Marie-Cécile >>>>>>>>>> Cc : packetfence-users@lists.sourceforge.net >>>>>>>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>>>>>>> Objet : Re: VLAN for rejected machine >>>>>>>>>> >>>>>>>>>> With Mac authentication, you will need to pre-import your Mac >>>>>>>>>> address if you know them, create a VLAN filter that automatically a >>>>>>>>>> MAC OUI for example or you redirect the on the captive portal to >>>>>>>>>> give them an option to register themselves. >>>>>>>>>> >>>>>>>>>> In your case, if you don’t know them, you return a VLAN 2 (don’t >>>>>>>>>> forget to return VLAN 2 in the registration role in the switch >>>>>>>>>> configuration) and they will never get a role and registered. They >>>>>>>>>> will end up having access on VLAN 2. >>>>>>>>>> >>>>>>>>>> What are those devices ? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> Ludovic Zammit >>>>>>>>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 >>>>>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>>>>> <http://packetfence.org/>) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> On Apr 7, 2021, at 1:25 AM, Heusler Marie-Cécile >>>>>>>>>>> <marie-cecile.heus...@divtec.ch >>>>>>>>>>> <mailto:marie-cecile.heus...@divtec.ch>> wrote: >>>>>>>>>>> >>>>>>>>>>> Ok, I enabled mac authentication, but now here are my radius logs >>>>>>>>>>> once I connect the node to the switch: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 auth[1944]: Adding client 192.168.137.200/32 >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 auth[1944]: [mac:98:e7:f4:14:44:f0] Accepted >>>>>>>>>>> user: and returned VLAN >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 auth[1944]: (3879) Login OK: [98e7f41444f0] >>>>>>>>>>> (from client 192.168.137.200/32 port 19 cli 98:e7:f4:14:44:f0) >>>>>>>>>>> >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>>>> [mac:98:e7:f4:14:44:f0] handling radius autz request: from >>>>>>>>>>> switch_ip => (192.168.137.200), connection_type => >>>>>>>>>>> Ethernet-NoEAP,switch_mac => (00:16:b9:0b:37:0d), mac => >>>>>>>>>>> [98:e7:f4:14:44:f0], port => 19, username => "98e7f41444f0" >>>>>>>>>>> (pf::radius::authorize) >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>>>> [mac:98:e7:f4:14:44:f0] Instantiate profile default >>>>>>>>>>> (pf::Connection::ProfileFactory::_from_profile) >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>>>> [mac:98:e7:f4:14:44:f0] Match rule Email-on-role >>>>>>>>>>> (pf::access_filter::test) >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>>>> [mac:98:e7:f4:14:44:f0] Found authentication source(s) : >>>>>>>>>>> 'local,file1,MonDomaine' for realm 'null' >>>>>>>>>>> (pf::config::util::filter_authentication_sources) >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: >>>>>>>>>>> [mac:98:e7:f4:14:44:f0] No category computed for autoreg >>>>>>>>>>> (pf::role::getNodeInfoForAutoReg) >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>>>> [mac:98:e7:f4:14:44:f0] Match rule Email-on-role >>>>>>>>>>> (pf::access_filter::test) >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.webservices: >>>>>>>>>>> httpd.webservices(1790) WARN: [mac:98:e7:f4:14:44:f0] Unable to >>>>>>>>>>> pull accounting history for device 98:e7:f4:14:44:f0. The history >>>>>>>>>>> set doesn't exist yet. >>>>>>>>>>> (pf::accounting_events_history::latest_mac_history) >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>>>> [mac:98:e7:f4:14:44:f0] Found authentication source(s) : >>>>>>>>>>> 'local,file1,MonDomaine' for realm 'null' >>>>>>>>>>> (pf::config::util::filter_authentication_sources) >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>>>> [mac:98:e7:f4:14:44:f0] Connection type is MAC-AUTH. Getting role >>>>>>>>>>> from node_info (pf::role::getRegisteredRole) >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: >>>>>>>>>>> [mac:98:e7:f4:14:44:f0] Use of uninitialized value $role in >>>>>>>>>>> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line >>>>>>>>>>> 489. >>>>>>>>>>> (pf::role::getRegisteredRole) >>>>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>>>> [mac:98:e7:f4:14:44:f0] Username was NOT defined or unable to match >>>>>>>>>>> a role - returning node based role '' (pf::role::getRegisteredRole) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I tried to create a new connection profile, but the result is the >>>>>>>>>>> same. >>>>>>>>>>> >>>>>>>>>>> Any ideas? >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> De : Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> >>>>>>>>>>> Envoyé : mardi, 6 avril 2021 19:48 >>>>>>>>>>> À : Heusler Marie-Cécile >>>>>>>>>>> Cc : packetfence-users@lists.sourceforge.net >>>>>>>>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>>>>>>>> Objet : Re: VLAN for rejected machine >>>>>>>>>>> >>>>>>>>>>> You can’t because if those not joined machines connect over 802.1x >>>>>>>>>>> they will fail and stay there. >>>>>>>>>>> >>>>>>>>>>> What you want to do is 802.1x + Mac authentication bypass (MAB) on >>>>>>>>>>> the switch port. >>>>>>>>>>> >>>>>>>>>>> A none corporate machine should do MAB and land on the captive >>>>>>>>>>> portal and authenticate. If you want to skip that part, you can put >>>>>>>>>>> VLAN ID 2 in the registration role on the switch so everyone that >>>>>>>>>>> do Mac authentication would be redirected on VLAN 2. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> Ludovic Zammit >>>>>>>>>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 >>>>>>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>>>>>> <http://packetfence.org/>) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> On Apr 6, 2021, at 1:33 PM, Heusler Marie-Cécile >>>>>>>>>>>> <marie-cecile.heus...@divtec.ch >>>>>>>>>>>> <mailto:marie-cecile.heus...@divtec.ch>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hello >>>>>>>>>>>> >>>>>>>>>>>> I have an authentication source that gives the role VLAN1 to the >>>>>>>>>>>> corporate machines. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> <pastedImage.png> >>>>>>>>>>>> >>>>>>>>>>>> <pastedImage.png> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Now I want to give to the non-corporate machines the role VLAN2. >>>>>>>>>>>> However, I can't assign a role to a node that can't login to the >>>>>>>>>>>> source. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Adding client 10.104.92.130/32 >>>>>>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: (195) >>>>>>>>>>>> chrooted_mschap_machine: ERROR: Program returned code (1) and >>>>>>>>>>>> output 'Logon failure (0xc000006d)' >>>>>>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: (195) Login incorrect >>>>>>>>>>>> (chrooted_mschap_machine: Program returned code (1) and output >>>>>>>>>>>> 'Logon failure (0xc000006d)'): [host/client.tpi.local] (from >>>>>>>>>>>> client 10.104.92.130/32 port 21 cli 2c:44:fd:65:ab:27 via TLS >>>>>>>>>>>> tunnel) >>>>>>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: [mac:2c:44:fd:65:ab:27] >>>>>>>>>>>> Rejected user: host/client.tpi.local >>>>>>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: (196) Login incorrect >>>>>>>>>>>> (eap_peap: The users session was previously rejected: returning >>>>>>>>>>>> reject (again.)): [host/client.tpi.local] (from client >>>>>>>>>>>> 10.104.92.130/32 port 21 cli 2c:44:fd:65:ab:27) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> A client that are not in the domain will have a login incorrect. >>>>>>>>>>>> But how can I say that every client out of the domain will move to >>>>>>>>>>>> the VLAN2 role ? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Thank you for your reply. > > <PastedGraphic-9.tiff>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
