Aaron, it seems we are getting closer to the solution of the riddle. I changed my authentication rules to match yours, i.e. Matches ALL and link “memberOf” to “equals”
It made the test from CLI to fail the authentication with a user not belonging to the target AD group root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user XXXXXX OPTIONS-AD-SOURCE Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin' Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication successful.) Did not match against OPTIONS-AD-SOURCE for 'authentication' rules Did not match against OPTIONS-AD-SOURCE for 'administration' rules But my real connection to the RADIUS protected SSID with this fake.user ID was successful Not sure where to look next. Any other ideas or suggestion from Fabrice or Ludovic ? Eugene From: Aaron Zuercher <aaron.techge...@gmail.com> Sent: Tuesday, November 02, 2021 12:26 PM To: E.P. <ype...@gmail.com> Cc: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] AD user group in the authentication source try memberOF equals also my rules are set to MATCHES: ALL not sure if that would matter On Tue, Nov 2, 2021 at 1:01 PM E.P. <ype...@gmail.com <mailto:ype...@gmail.com> > wrote: Thank you, Aaron and Ludovic, This is weird. Here’s how the authentication rule looks in my AD source Now, I’m testing the user that is NOT a member of Staff-WiFi AD group root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user XXXXXX OPTIONS-AD-SOURCE Testing authentication for "fake.user" Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin' Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication successful.) Matched against OPTIONS-AD-SOURCE for 'authentication' rule Staff-WiFi set_role : Staff-WiFi set_unreg_date : 2022-12-31 Did not match against OPTIONS-AD-SOURCE for 'administration' rules Eugene From: Aaron Zuercher <aaron.techge...@gmail.com <mailto:aaron.techge...@gmail.com> > Sent: Tuesday, November 02, 2021 10:52 AM To: packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Cc: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> > Subject: Re: [PacketFence-users] AD user group in the authentication source Mine is setup for memberOf equals "full DN of Group" Aaron On Tue, Nov 2, 2021 at 3:26 AM E.P. via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> > wrote: I dare asking a stupid question. What is the correct way to create a condition in the authentication source based on AD to verify the user specific group membership. I created a condition based on “memberOf” attribute which is equal to the DN of the group. It seems doesn’t apply or rather not verified. Any user from the AD domain who authenticates can connect via RADIUS. Eugene _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
