Hello David, you have multiple solutions. The first one is to use the filter in the connection profile and the order of the connection profiles. So in advanced filter you can have category equals REJECT and ssid equals secure_ssid and have an authentication source of type black_hole assigned to it.
You can also do it with the vlan filter, in the nodeinfoforautoreg scope with something similar to the filter i previously defined in the connection profile and you will define the role REJECT at the end. Regards Fabrice Le mer. 28 déc. 2022 à 15:44, David Herselman via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hi, > > > > I have a connection profile setup to auto register nodes as a staffbyod > role when certain conditions are met. This however then overwrites manual > role assignments, for example when I manually update a node to have a role > REJECT it gets reset as having a staffbyod role when it reconnects. > > > > I attempted to add a filter for last_node equals ‘REJECT’ and node_role > equals ‘REJECT’ but this didn’t change the behaviour. Is there possibly a > way to filter connection profiles assigning a role when the node is not > unregistered? > > > > Herewith logs where the node is kicked off the network when the role is > changed to ‘REJECT’ and the logs where the client is then recomputed as > having the ‘staffbyod’ role when it reconnects: > > Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) > INFO: re-evaluating access (admin_modify called) > (pf::enforcement::reevaluate_access) > > Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) > INFO: Instantiate profile 802.1x_EAP > (pf::Connection::ProfileFactory::_from_profile) > > Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) > INFO: VLAN reassignment is forced. > (pf::enforcement::_should_we_reassign_vlan) > > Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) > INFO: switch port is (172.16.10.53) ifIndex 0connection type: WiFi 802.1X > (pf::enforcement::_vlan_reevaluation) > > Dec 28 19:46:03 packetfence packetfence_httpd.aaa[1554532]: > httpd.aaa(759442) WARN: [mac:de:ad:be:ef:de:ad] Firewall SSO Notify > (pf::api::firewallsso_accounting) > > Dec 28 19:46:03 packetfence packetfence_httpd.aaa[1554532]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Sending a firewall SSO > 'Stop' request for MAC 'de:ad:be:ef:de:ad' and IP '10.239.239.28' > (pf::firewallsso::do_sso) > > Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) INFO: > [mac:de:ad:be:ef:de:ad] [de:ad:be:ef:de:ad] DesAssociating mac on switch > (172.16.10.53) (pf::api::desAssociate) > > Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) INFO: > [mac:de:ad:be:ef:de:ad] deauthenticating de:ad:be:ef:de:ad > (pf::Switch::Mikrotik::radiusDisconnect) > > Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) ERROR: > [mac:de:ad:be:ef:de:ad] Trying to save a NULL value in a non nullable field > radius_audit_log.mac (pf::dal::validate_field) > > Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) ERROR: > [mac:de:ad:be:ef:de:ad] Skipping invalid value (NULL) in when inserting > field radius_audit_log.mac (pf::dal::_insert_data) > > Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) WARN: > [mac:de:ad:be:ef:de:ad] Warning: 1364: Field 'mac' doesn't have a default > value (pf::dal::db_execute) > > Dec 28 19:46:06 packetfence packetfence_httpd.aaa[1554532]: > httpd.aaa(759442) WARN: [mac:00:22:4d:88:b0:9a] Use of uninitialized value > $nas_port in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm > line 2470. (pf::Switch::NasPortToIfIndex) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] handling radius autz > request: from switch_ip => (172.16.10.53), connection_type => > Wireless-802.11-EAP,switch_mac => (02:00:00:aa:00:01), mac => > [de:ad:be:ef:de:ad], port => 0, username => "joe.doe", ssid => RedactedWiFi > (pf::radius::authorize) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Instantiate profile > 802.1x_EAP (pf::Connection::ProfileFactory::_from_profile) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Found authentication > source(s) : 'redactedad_users_byod' for realm 'null' > (pf::config::util::filter_authentication_sources) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Using sources > redactedad_users_byod for matching (pf::authentication::match2) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) WARN: [mac:de:ad:be:ef:de:ad] [redactedad_users_byod > staff] Searching for > (&(sAMAccountName=joe.doe)(memberOf=CN=redacted,OU=Redacted,OU=Security > Groups,OU=Redacted,DC=ad,DC=redacted)), from > OU=Users,OU=Redacted,DC=ad,DC=redacted, with scope sub > (pf::Authentication::Source::LDAPSource::match_in_subclass) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Matched rule (staff) in > source redactedad_users_byod, returning actions. > (pf::Authentication::Source::match_rule) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Matched rule (staff) in > source redactedad_users_byod, returning actions. > (pf::Authentication::Source::match) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Found authentication > source(s) : 'redactedad_users_byod' for realm 'null' > (pf::config::util::filter_authentication_sources) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Role has already been > computed and we don't want to recompute it. Getting role from node_info > (pf::role::getRegisteredRole) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Username was defined > "joe.doe" - returning role 'staffbyod' (pf::role::getRegisteredRole) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] PID: "joe.doe", Status: reg > Returned VLAN: (undefined), Role: staffbyod (pf::role::fetchRoleForNode) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] (172.16.10.53) Returning > ACCEPT with VLAN 52 and role > (pf::Switch::Mikrotik::returnRadiusAccessAccept) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] security_event 1300003 > force-closed for de:ad:be:ef:de:ad > (pf::security_event::security_event_force_close) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Instantiate profile > 802.1x_EAP (pf::Connection::ProfileFactory::_from_profile) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1554532]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Updating locationlog from > accounting request (pf::api::handle_accounting_metadata) > > Dec 28 19:46:12 packetfence pfqueue[1603374]: pfqueue(1603374) INFO: > [mac:unknown] Already did a person lookup for joe.doe > (pf::lookup::person::lookup_person) > > > > I’m essentially looking for some guidance on correctly structuring a > connection profile advanced filter to only apply when the role of the node > isn’t ‘REJECT’ or the node is already registered. > > > > > > <https://www.syrex.com/> > > *David Herselman* | Managing Director > > e: > > d...@syrex.co | o: 086 11 79739 <+27117211900> | c: 082 784 7222 > > a: > > turnberry office park, 48 grosvenor road, bryanston, 2021 > <https://maps.google.com/?q=Syrex> > > www.syrex.com / accreditations <https://www.syrex.com/accreditations> > > This message contains confidential information and is intended only for > the individual named. If you are not the named addressee you should not > disseminate, distribute or copy this email. Please notify the sender > immediately by email if you have received this email by mistake and delete > it from your system. If you are not the intended recipient you are notified > that disclosing, copying, distributing or taking any action in reliance on > the contents of this information is strictly prohibited. Think before you > print. > > <https://www.facebook.com/syrexsa> > > <https://twitter.com/syrexsa> > > <https://www.linkedin.com/company/1723334> > > *CHANGE OF BANKING DETAILS* > > We have not changed our banking details recently. We will not just send an > email to inform you of a change, should we ever do so. > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
