Hello, Trying to reach out again in the attempt to get some ideas or insights.
My problems are still the same with conditions in the authentication source. Problem number one. I want to have an authentication rule that looks like this (Non-Staff-WiFi) PF doesn’t like “not_equals” operand Problem number two: If I have only one authentication rule, i.e. Staff-WiFi as shown above, any user who successfully authenticates but not a member of the said AD group still gets access and assigned the Staff-WiFi role Eugene From: E.P. <ype...@gmail.com> Sent: Tuesday, November 02, 2021 11:50 PM To: 'Aaron Zuercher' <aaron.techge...@gmail.com> Cc: packetfence-users@lists.sourceforge.net Subject: RE: [PacketFence-users] AD user group in the authentication source Aaron, it seems we are getting closer to the solution of the riddle. I changed my authentication rules to match yours, i.e. Matches ALL and link “memberOf” to “equals” It made the test from CLI to fail the authentication with a user not belonging to the target AD group root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user XXXXXX OPTIONS-AD-SOURCE Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin' Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication successful.) Did not match against OPTIONS-AD-SOURCE for 'authentication' rules Did not match against OPTIONS-AD-SOURCE for 'administration' rules But my real connection to the RADIUS protected SSID with this fake.user ID was successful Not sure where to look next. Any other ideas or suggestion from Fabrice or Ludovic ? Eugene From: Aaron Zuercher <aaron.techge...@gmail.com <mailto:aaron.techge...@gmail.com> > Sent: Tuesday, November 02, 2021 12:26 PM To: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> > Cc: packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] AD user group in the authentication source try memberOF equals also my rules are set to MATCHES: ALL not sure if that would matter On Tue, Nov 2, 2021 at 1:01 PM E.P. <ype...@gmail.com <mailto:ype...@gmail.com> > wrote: Thank you, Aaron and Ludovic, This is weird. Here’s how the authentication rule looks in my AD source Now, I’m testing the user that is NOT a member of Staff-WiFi AD group root@packetfence:~# /usr/local/pf/bin/pftest authentication fake.user XXXXXX OPTIONS-AD-SOURCE Testing authentication for "fake.user" Authenticating against 'OPTIONS-AD-SOURCE' in context 'admin' Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication successful.) Matched against OPTIONS-AD-SOURCE for 'authentication' rule Staff-WiFi set_role : Staff-WiFi set_unreg_date : 2022-12-31 Did not match against OPTIONS-AD-SOURCE for 'administration' rules Eugene From: Aaron Zuercher <aaron.techge...@gmail.com <mailto:aaron.techge...@gmail.com> > Sent: Tuesday, November 02, 2021 10:52 AM To: packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Cc: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> > Subject: Re: [PacketFence-users] AD user group in the authentication source Mine is setup for memberOf equals "full DN of Group" Aaron On Tue, Nov 2, 2021 at 3:26 AM E.P. via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> > wrote: I dare asking a stupid question. What is the correct way to create a condition in the authentication source based on AD to verify the user specific group membership. I created a condition based on “memberOf” attribute which is equal to the DN of the group. It seems doesn’t apply or rather not verified. Any user from the AD domain who authenticates can connect via RADIUS. Eugene _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
