Hello Chris,
First we don't compute the role from the source for Fortigate, we just do a
mschap verification then if it's authenticated then we allow the access.
It misses a little bit of code to do that but it's not something really
complicated.
Next the condition in the radius filter you should try:
condition=switch._ip == "172.18.1.90" && connection_type == "VPN-Access"
Btw i will have to work on the VPN code soon so i will add the logic to
compute the role of the user to return the radius attribute
Fortinet-Group-Name
Regards
Fabrice
Le mar. 11 mai 2021 à 09:55, Chris Crawford via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :
> Good morning,
>
>
>
> I’m looking to assign a user a role, based on their membership in AD and
> have that returned to the FortiGate to allow the user to connect to the VPN.
>
>
>
> User login comes in from the VPN. The User Authenticates.
>
> User-Name = "chris"
>
> NAS-IP-Address = 10.10.20.10
>
> Called-Station-Id = "10.10.20.10"
>
> Calling-Station-Id = "10.10.10.10"
>
> NAS-Identifier = "FortiGate"
>
> Proxy-State = 0x313631
>
> NAS-Port-Type = Virtual
>
> Acct-Session-Id = "46906026"
>
> Event-Timestamp = "May 11 2021 10:23:26 ADT"
>
> Connect-Info = "vpn-ssl"
>
> Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044
>
> Fortinet-Vdom-Name = "root"
>
> MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b
>
> MS-CHAP2-Response =
> 0x7e00806b361b428955e2c7df110c101a8be4000000000000000050fe07df152cd08c0445ee178820959c7bb361acf054930c
>
> Stripped-User-Name = "chris"
>
> Realm = "null"
>
> FreeRADIUS-Client-IP-Address = packetfenceVIP
>
> PacketFence-Domain = "DOMAIN"
>
> PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39"
>
> PacketFence-Radius-Ip = "packetfence1"
>
> PacketFence-NTLMv2-Only = "--allow-mschapv2"
>
> User-Password = "******"
>
> SQL-User-Name = "chris"
>
>
>
> RADIUS Reply
>
> MS-CHAP2-Success =
> 0x7e533d45464232384144444444433243304643323339413633424430303635354336354243423341423039
>
> Proxy-State = 0x313631
>
>
>
> I have a connection profile that it’s supposed to flow though:
>
> 'SSLVPN-90e-Test' => {
>
> 'billing_tiers' => [],
>
> 'filter_match_style' => 'all',
>
> 'preregistration' => 'disabled',
>
> 'sms_pin_retry_limit' => '0',
>
> 'unbound_dpsk' => 'disabled',
>
> 'locale' => [],
>
> 'vlan_pool_technique' => 'username_hash',
>
> 'always_use_redirecturl' => 'disabled',
>
> 'login_attempt_limit' => '0',
>
> 'template_paths' => [
>
>
> '/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test',
>
>
> '/usr/local/pf/html/captive-portal/profile-templates/default',
>
>
> '/usr/local/pf/html/captive-portal/templates'
>
>
> ],
>
> 'guest_modes' => '',
>
> 'description' => 'SSLVPN',
>
> 'network_logoff_popup' => 'disabled',
>
> 'reuse_dot1x_credentials' => '0',
>
> 'sources' => [
>
>
> 'DOMAIN-SSLVPN'
>
>
> ],
>
> 'access_registration_when_registered' =>
> 'disabled',
>
> 'block_interval' => 600,
>
> 'advanced_filter' => '',
>
> 'provisioners' => [],
>
> 'dot1x_recompute_role_from_portal' =>
> 'enabled',
>
> 'dot1x_unset_on_unmatch' => 'disabled',
>
> 'status' => 'enabled',
>
> 'unreg_on_acct_stop' => 'disabled',
>
> 'root_module' => 'default_policy',
>
> 'sms_request_limit' => '0',
>
> 'network_logoff' => 'disabled',
>
> 'dpsk' => 'disabled',
>
> 'filter' => [
>
>
> 'tenant:1',
>
>
> 'switch_group:VPN-Server'
>
>
> ],
>
> 'mac_auth_recompute_role_from_portal' =>
> 'disabled',
>
> 'autoregister' => 'disabled',
>
> 'scans' => [],
>
> 'redirecturl' => '
> http://www.packetfence.org/',
>
> 'logo' => '/common/packetfence-cp.png',
>
> 'self_service' => 'default'
>
>
>
>
>
> This is the source:
>
> bless( {
>
> 'cache_match' => '0',
>
> 'realms' => [],
>
> 'read_timeout' => '10',
>
> 'basedn' => 'DC=ad,DC=domain,DC=ca',
>
> 'monitor' => '1',
>
> 'rules' => [
>
> bless( {
>
> 'cache_key' =>
> 'memberOf,equals,CN=NETWORKS,OU=Users,OU=Secured Groups,OU=NAC,OU=Protected
> Groups,OU=Admin,DC=ad DC=domain,DC=ca',
>
> 'actions' => [
>
> bless( {
>
>
> 'value' => 'SSLVPN-NetAdmin',
>
>
> 'type' => 'set_role',
>
>
> 'class' => 'authentication'
>
> },
> 'pf::Authentication::Action' ),
>
> bless( {
>
>
> 'value' => '1D',
>
>
> 'type' => 'set_access_duration',
>
>
> 'class' => 'authentication'
>
> },
> 'pf::Authentication::Action' )
>
> ],
>
> 'status' => 'enabled',
>
> 'match' => 'all',
>
> 'description' => 'SSLVPN NetAdmin group',
>
> 'class' => 'authentication',
>
> 'id' => 'SSLVPN-NetAdmin',
>
> 'conditions' => [
>
> bless( {
>
> 'operator'
> => 'equals',
>
>
> 'attribute' => 'memberOf',
>
> 'value' =>
> 'CN=NETWORKS,OU=Users,OU=Secured Groups,OU=NAC,OU=Protected
> Groups,OU=Admin,DC=ad DC=domain,DC=ca'
>
> },
> 'pf::Authentication::Condition' )
>
> ]
>
> }, 'pf::Authentication::Rule' )
>
> ],
>
> 'password' => 'h2M6z!A^z#kA3kHLG^XrQL6M9UcMos',
>
> 'dynamic_routing_module' => 'AuthModule',
>
> 'shuffle' => '1',
>
> 'searchattributes' => [
>
>
> 'sAMAccountName'
>
>
> ],
>
> 'id' => 'Domain-SSLVPN',
>
> 'scope' => 'sub',
>
> 'unique' => 0,
>
> 'email_attribute' => 'mail',
>
> 'usernameattribute' => 'sAMAccountName',
>
> 'dead_duration' => '60',
>
> 'connection_timeout' => '1',
>
> 'binddn' => 'CN=PacketFence Authentication,OU=Service
> Accounts,OU=Admin,DC=ad,DC=domain,DC=ca',
>
> 'encryption' => 'ssl',
>
> 'description' => 'Domain - People Authentication - SSLVPN',
>
> 'port' => '636',
>
> 'host' => [
>
> '
> ad1.ad.domain.ca',
>
> '
> ad2.ad.domain.ca',
>
> '
> ad3.ad.domain.ca'
>
> ],
>
> 'write_timeout' => '5',
>
> 'type' => 'AD',
>
> 'class' => 'internal'
>
> }, 'pf::Authentication::Source::ADSource' ),
>
>
>
> Here is the Switch group and switch:
>
> [172.18.1.90]
>
> description=TEST VPN with FG90E
>
> group=VPN-Server
>
> radiusSecret=testVPN
>
> SSLVPN-NetAdminRole=SSLVPN-NetAdmin
>
> SSLVPN-NetAdminVlan=999
>
> RoleMap=Y
>
> VlanMap=N
>
>
>
> [group VPN-Server]
>
> description=VPN Authentication
>
> VoIPDHCPDetect=N
>
> cliAccess=Y
>
> type=Fortinet::FortiGate
>
> VlanMap=N
>
> SSLVPN-NetAdminRole=SSLVPN-NetAdmin
>
> RoleMap=Y
>
> radiusSecret=testVPN
>
>
>
> Here is the Radius-Filter:
>
> [SSLVPN-NetAdmin]
>
> status=enabled
>
> top_op=and
>
> description=test sslvpn
>
> scopes=returnRadiusAccessAccept
>
> merge_answer=yes
>
> condition=switch._ip == "172.18.1.90" && switch._roles == "SSLVPN-NetAdmin"
>
> answer.0=reply:Fortinet-Group-Name = VPN-ITS-NetServ
>
>
>
> But, it doesn’t seem to hit the Radius-Filter.
>
>
>
> Cheers,
>
> Chris
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
