I would check AUditing> Radius Audit Logs to see what is being passed/matched for the test client. It may give you some clues where to look further. ALso one other thing to note is that the rules in the authentication source are matched top down and when it finds a match it stops looking so if you have multiple rules make sure your order is correct.
On Wed, Nov 3, 2021 at 1:50 AM E.P. <ype...@gmail.com> wrote: > Aaron, it seems we are getting closer to the solution of the riddle. > > I changed my authentication rules to match yours, i.e. Matches ALL and > link “memberOf” to “equals” > > It made the test from CLI to fail the authentication with a user not > belonging to the target AD group > > > > root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user > XXXXXX OPTIONS-AD-SOURCE > > Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin' > > Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication > successful.) > > Did not match against OPTIONS-AD-SOURCE for 'authentication' rules > > Did not match against OPTIONS-AD-SOURCE for 'administration' rules > > > > But my real connection to the RADIUS protected SSID with this fake.user ID > was successful > > Not sure where to look next. Any other ideas or suggestion from Fabrice or > Ludovic ? > > > > Eugene > > > > *From:* Aaron Zuercher <aaron.techge...@gmail.com> > *Sent:* Tuesday, November 02, 2021 12:26 PM > *To:* E.P. <ype...@gmail.com> > *Cc:* packetfence-users@lists.sourceforge.net > *Subject:* Re: [PacketFence-users] AD user group in the authentication > source > > > > try memberOF equals > > also my rules are set to MATCHES: ALL > > not sure if that would matter > > > > > > On Tue, Nov 2, 2021 at 1:01 PM E.P. <ype...@gmail.com> wrote: > > Thank you, Aaron and Ludovic, > > This is weird. Here’s how the authentication rule looks in my AD source > > > > > > Now, I’m testing the user that is NOT a member of Staff-WiFi AD group > > > > > > root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user > XXXXXX OPTIONS-AD-SOURCE > > Testing authentication for "fake.user" > > > > Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin' > > Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication > successful.) > > Matched against OPTIONS-AD-SOURCE for 'authentication' rule Staff-WiFi > > set_role : Staff-WiFi > > set_unreg_date : 2022-12-31 > > Did not match against OPTIONS-AD-SOURCE for 'administration' rules > > > > Eugene > > > > *From:* Aaron Zuercher <aaron.techge...@gmail.com> > *Sent:* Tuesday, November 02, 2021 10:52 AM > *To:* packetfence-users@lists.sourceforge.net > *Cc:* E.P. <ype...@gmail.com> > *Subject:* Re: [PacketFence-users] AD user group in the authentication > source > > > > Mine is setup for memberOf equals "full DN of Group" > > > > Aaron > > > > On Tue, Nov 2, 2021 at 3:26 AM E.P. via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > I dare asking a stupid question. > > What is the correct way to create a condition in the authentication source > based on AD to verify the user specific group membership. > > I created a condition based on “memberOf” attribute which is equal to the > DN of the group. It seems doesn’t apply or rather not verified. > > Any user from the AD domain who authenticates can connect via RADIUS. > > > > Eugene > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
