Re: [PacketFence-users] Administrative Rule RADIUS Reply

[Fabrice Durand via PacketFence-users]

Hello guys,

the issue looks to be the REST-Http-Status-Code and it should be 401.

I have checked the code and it looks to be ok.

Here (
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/radius.pm#L1045)
we return $RADIUS::RLM_MODULE_FAIL who should return a 401 (
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/radius/rest.pm#L53
)

I have to try to replicate it and i will be back to you.

Regards
Fabrice

Le ven. 28 avr. 2023 à 13:43, IT Mercenary via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Happy Friday!
>
> Using /usr/local/pf/bin/pftest authentication USERNAME  "", I can see that
> the user is matching the deny rule as desired.
>
> [image: image.png]
>
> Here is a screenshot of the authentication.conf file. I think this
> contains the relevant parts but let me know if I should send you the whole
> file.
>
> [image: image.png]
>
> Thanks!
>
> On Fri, Apr 28, 2023 at 5:29 AM Zammit, Ludovic 
> wrote:
>
>> Hello,
>>
>> You could use the command:
>>
>> /usr/local/pf/bin/pftest authentication USERNAME  ""
>>
>> You will see if you match properly your rule, it should bring
>> Administration right.
>>
>> Could you show me your conf/authentication.conf?
>>
>> Thanks,
>>
>> *Ludovic Zammit*
>> *Product Support Engineer Principal Lead*
>> *Cell:* +1.613.670.8432
>> Akamai Technologies - Inverse
>> 145 Broadway
>> Cambridge, MA 02142
>> Connect with Us:  
>>  
>> 
>> 
>>
>> On Apr 27, 2023, at 7:41 PM, IT Mercenary 
>> wrote:
>>
>> Hi All,
>>
>> I'm hoping for some guidance on how to change the Radius Reply for CLI
>> authentication when users are not a member of the specified group. The
>> group is being matched as the RADIUS reply indicates the right
>> administration rule is being matched (catch all).
>>
>> The behavior I was getting:
>>
>> 
>>
>> 
>>
>> Compared to what I'm getting now:
>> 
>>
>> 
>> Thanks!
>>
>> On Mon, Apr 24, 2023 at 6:45 AM IT Mercenary 
>> wrote:
>>
>>> Hi Ludovic,
>>>
>>> I've changed the group to use DN and equal, but I'm getting the same
>>> results. Is there a way to customize the behavior when an administrative
>>> user is authenticated but not authorized?
>>>
>>> Thanks!
>>>
>>> On Mon, Apr 24, 2023 at 5:32 AM Zammit, Ludovic 
>>> wrote:
>>>
 Hello there,

 It loos like the match regex operator does not work properly, in order
 to have a good match use the DistinguishName of the group object in the Ad
 in combinaison of the operator equals

 Memberof equals CN=MyGroup,OU=domain,OU=com

 Thanks,



 *Ludovic Zammit*
 *Product Support Engineer Principal Lead*
 *Cell:* +1.613.670.8432
 Akamai Technologies - Inverse
 145 Broadway
 Cambridge, MA 02142
 Connect with Us: 
 
 
 
 
 

 On Apr 21, 2023, at 1:45 PM, IT Mercenary via PacketFence-users <
 packetfence-users@lists.sourceforge.net> wrote:

 Hello,

 I have an administration rule for switch CLI access that is producing
 different results for users that are not a member of an AD group. Both
 switches are in a switch group with type based on the standard Cisco
 template. The desired result is being produced on appliance version 12.1.0
 and the undesired result on v12.2.0.

 *Administration Rules*
 

 *v12.1.0 Results*
 
 RADIUS Tab:
 

 *v12.2.0 Results*
 

 RADIUS Tab:
 


 Thanks!
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net

 https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RJRooQcys6zdEdxUze4ob_Fdoh8f6vc2-IXTbp2iUXgzmcvH-3YEOBQRdtmbI7Lzb_CFnZNayskBCKtC7pOqRsEGTSZZOy4s7Q6HOQ$



>> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] Administrative Rule RADIUS Reply

[IT Mercenary via PacketFence-users]

Happy Friday!

Using /usr/local/pf/bin/pftest authentication USERNAME  "", I can see that
the user is matching the deny rule as desired.

[image: image.png]

Here is a screenshot of the authentication.conf file. I think this contains
the relevant parts but let me know if I should send you the whole file.

[image: image.png]

Thanks!

On Fri, Apr 28, 2023 at 5:29 AM Zammit, Ludovic  wrote:

> Hello,
>
> You could use the command:
>
> /usr/local/pf/bin/pftest authentication USERNAME  ""
>
> You will see if you match properly your rule, it should bring
> Administration right.
>
> Could you show me your conf/authentication.conf?
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal Lead*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:  
>  
> 
> 
>
> On Apr 27, 2023, at 7:41 PM, IT Mercenary 
> wrote:
>
> Hi All,
>
> I'm hoping for some guidance on how to change the Radius Reply for CLI
> authentication when users are not a member of the specified group. The
> group is being matched as the RADIUS reply indicates the right
> administration rule is being matched (catch all).
>
> The behavior I was getting:
>
> 
>
> 
>
> Compared to what I'm getting now:
> 
>
> 
> Thanks!
>
> On Mon, Apr 24, 2023 at 6:45 AM IT Mercenary 
> wrote:
>
>> Hi Ludovic,
>>
>> I've changed the group to use DN and equal, but I'm getting the same
>> results. Is there a way to customize the behavior when an administrative
>> user is authenticated but not authorized?
>>
>> Thanks!
>>
>> On Mon, Apr 24, 2023 at 5:32 AM Zammit, Ludovic 
>> wrote:
>>
>>> Hello there,
>>>
>>> It loos like the match regex operator does not work properly, in order
>>> to have a good match use the DistinguishName of the group object in the Ad
>>> in combinaison of the operator equals
>>>
>>> Memberof equals CN=MyGroup,OU=domain,OU=com
>>>
>>> Thanks,
>>>
>>>
>>>
>>> *Ludovic Zammit*
>>> *Product Support Engineer Principal Lead*
>>> *Cell:* +1.613.670.8432
>>> Akamai Technologies - Inverse
>>> 145 Broadway
>>> Cambridge, MA 02142
>>> Connect with Us: 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>
>>> On Apr 21, 2023, at 1:45 PM, IT Mercenary via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
>>> Hello,
>>>
>>> I have an administration rule for switch CLI access that is producing
>>> different results for users that are not a member of an AD group. Both
>>> switches are in a switch group with type based on the standard Cisco
>>> template. The desired result is being produced on appliance version 12.1.0
>>> and the undesired result on v12.2.0.
>>>
>>> *Administration Rules*
>>> 
>>>
>>> *v12.1.0 Results*
>>> 
>>> RADIUS Tab:
>>> 
>>>
>>> *v12.2.0 Results*
>>> 
>>>
>>> RADIUS Tab:
>>> 
>>>
>>>
>>> Thanks!
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>>
>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RJRooQcys6zdEdxUze4ob_Fdoh8f6vc2-IXTbp2iUXgzmcvH-3YEOBQRdtmbI7Lzb_CFnZNayskBCKtC7pOqRsEGTSZZOy4s7Q6HOQ$
>>>
>>>
>>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Administrative Rule RADIUS Reply

[Zammit, Ludovic via PacketFence-users]

Hello,

You could use the command:

/usr/local/pf/bin/pftest authentication USERNAME  ""   

You will see if you match properly your rule, it should bring Administration 
right.

Could you show me your conf/authentication.conf?

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 27, 2023, at 7:41 PM, IT Mercenary  wrote:
> 
> Hi All,
> 
> I'm hoping for some guidance on how to change the Radius Reply for CLI 
> authentication when users are not a member of the specified group. The group 
> is being matched as the RADIUS reply indicates the right administration rule 
> is being matched (catch all).
> 
> The behavior I was getting:
> 
> 
> 
> 
> 
> Compared to what I'm getting now:
> 
> 
> 
> Thanks!
> 
> On Mon, Apr 24, 2023 at 6:45 AM IT Mercenary  > wrote:
>> Hi Ludovic,
>> 
>> I've changed the group to use DN and equal, but I'm getting the same 
>> results. Is there a way to customize the behavior when an administrative 
>> user is authenticated but not authorized?
>> 
>> Thanks!
>> 
>> On Mon, Apr 24, 2023 at 5:32 AM Zammit, Ludovic > > wrote:
>>> Hello there,
>>> 
>>> It loos like the match regex operator does not work properly, in order to 
>>> have a good match use the DistinguishName of the group object in the Ad in 
>>> combinaison of the operator equals
>>> 
>>> Memberof equals CN=MyGroup,OU=domain,OU=com
>>> 
>>> Thanks,
>>> 
>>> 
>>> 
>>> Ludovic Zammit
>>> Product Support Engineer Principal Lead
>>> 
>>> Cell: +1.613.670.8432
>>> Akamai Technologies - Inverse
>>> 145 Broadway
>>> Cambridge, MA 02142
>>> Connect with Us:   
>>>   
>>> 
>>>   
>>> 
>>>   
>>> 
>>>   
>>> 
>>> 
 On Apr 21, 2023, at 1:45 PM, IT Mercenary via PacketFence-users 
 >>> > wrote:
 
 Hello,
 
 I have an administration rule for switch CLI access that is producing 
 different results for users that are not a member of an AD group. Both 
 switches are in a switch group with type based on the standard Cisco 
 template. The desired result is being produced on appliance version 12.1.0 
 and the undesired result on v12.2.0.
 
 Administration Rules
 
 
 v12.1.0 Results
 
 RADIUS Tab:
 
 
 v12.2.0 Results
 
 
 RADIUS Tab:
 
 
 
 Thanks!
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net 
 
 https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RJRooQcys6zdEdxUze4ob_Fdoh8f6vc2-IXTbp2iUXgzmcvH-3YEOBQRdtmbI7Lzb_CFnZNayskBCKtC7pOqRsEGTSZZOy4s7Q6HOQ$
  
>>> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Administrative Rule RADIUS Reply

[IT Mercenary via PacketFence-users]

Hi All,

I'm hoping for some guidance on how to change the Radius Reply for CLI
authentication when users are not a member of the specified group. The
group is being matched as the RADIUS reply indicates the right
administration rule is being matched (catch all).

The behavior I was getting:

[image: image.png]

[image: image.png]

Compared to what I'm getting now:
[image: image.png]

[image: image.png]
Thanks!

On Mon, Apr 24, 2023 at 6:45 AM IT Mercenary 
wrote:

> Hi Ludovic,
>
> I've changed the group to use DN and equal, but I'm getting the same
> results. Is there a way to customize the behavior when an administrative
> user is authenticated but not authorized?
>
> Thanks!
>
> On Mon, Apr 24, 2023 at 5:32 AM Zammit, Ludovic 
> wrote:
>
>> Hello there,
>>
>> It loos like the match regex operator does not work properly, in order to
>> have a good match use the DistinguishName of the group object in the Ad in
>> combinaison of the operator equals
>>
>> Memberof equals CN=MyGroup,OU=domain,OU=com
>>
>> Thanks,
>>
>>
>>
>> *Ludovic Zammit*
>> *Product Support Engineer Principal Lead*
>> *Cell:* +1.613.670.8432
>> Akamai Technologies - Inverse
>> 145 Broadway
>> Cambridge, MA 02142
>> Connect with Us:  
>>  
>> 
>> 
>>
>> On Apr 21, 2023, at 1:45 PM, IT Mercenary via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> Hello,
>>
>> I have an administration rule for switch CLI access that is producing
>> different results for users that are not a member of an AD group. Both
>> switches are in a switch group with type based on the standard Cisco
>> template. The desired result is being produced on appliance version 12.1.0
>> and the undesired result on v12.2.0.
>>
>> *Administration Rules*
>> 
>>
>> *v12.1.0 Results*
>> 
>> RADIUS Tab:
>> 
>>
>> *v12.2.0 Results*
>> 
>>
>> RADIUS Tab:
>> 
>>
>>
>> Thanks!
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>>
>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RJRooQcys6zdEdxUze4ob_Fdoh8f6vc2-IXTbp2iUXgzmcvH-3YEOBQRdtmbI7Lzb_CFnZNayskBCKtC7pOqRsEGTSZZOy4s7Q6HOQ$
>>
>>
>>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Administrative Rule RADIUS Reply

[IT Mercenary via PacketFence-users]

Hi Ludovic,

I've changed the group to use DN and equal, but I'm getting the same
results. Is there a way to customize the behavior when an administrative
user is authenticated but not authorized?

Thanks!

On Mon, Apr 24, 2023 at 5:32 AM Zammit, Ludovic  wrote:

> Hello there,
>
> It loos like the match regex operator does not work properly, in order to
> have a good match use the DistinguishName of the group object in the Ad in
> combinaison of the operator equals
>
> Memberof equals CN=MyGroup,OU=domain,OU=com
>
> Thanks,
>
>
>
> *Ludovic Zammit*
> *Product Support Engineer Principal Lead*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:  
>  
> 
> 
>
> On Apr 21, 2023, at 1:45 PM, IT Mercenary via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hello,
>
> I have an administration rule for switch CLI access that is producing
> different results for users that are not a member of an AD group. Both
> switches are in a switch group with type based on the standard Cisco
> template. The desired result is being produced on appliance version 12.1.0
> and the undesired result on v12.2.0.
>
> *Administration Rules*
> 
>
> *v12.1.0 Results*
> 
> RADIUS Tab:
> 
>
> *v12.2.0 Results*
> 
>
> RADIUS Tab:
> 
>
>
> Thanks!
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
>
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RJRooQcys6zdEdxUze4ob_Fdoh8f6vc2-IXTbp2iUXgzmcvH-3YEOBQRdtmbI7Lzb_CFnZNayskBCKtC7pOqRsEGTSZZOy4s7Q6HOQ$
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Administrative Rule RADIUS Reply

[Zammit, Ludovic via PacketFence-users]

Hello there,

It loos like the match regex operator does not work properly, in order to have 
a good match use the DistinguishName of the group object in the Ad in 
combinaison of the operator equals

Memberof equals CN=MyGroup,OU=domain,OU=com

Thanks,



Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 21, 2023, at 1:45 PM, IT Mercenary via PacketFence-users 
>  wrote:
> 
> Hello,
> 
> I have an administration rule for switch CLI access that is producing 
> different results for users that are not a member of an AD group. Both 
> switches are in a switch group with type based on the standard Cisco 
> template. The desired result is being produced on appliance version 12.1.0 
> and the undesired result on v12.2.0.
> 
> Administration Rules
> 
> 
> v12.1.0 Results
> 
> RADIUS Tab:
> 
> 
> v12.2.0 Results
> 
> 
> RADIUS Tab:
> 
> 
> 
> Thanks!
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!RJRooQcys6zdEdxUze4ob_Fdoh8f6vc2-IXTbp2iUXgzmcvH-3YEOBQRdtmbI7Lzb_CFnZNayskBCKtC7pOqRsEGTSZZOy4s7Q6HOQ$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Administrative Rule RADIUS Reply

[IT Mercenary via PacketFence-users]

Hello,

I have an administration rule for switch CLI access that is producing
different results for users that are not a member of an AD group. Both
switches are in a switch group with type based on the standard Cisco
template. The desired result is being produced on appliance version 12.1.0
and the undesired result on v12.2.0.

*Administration Rules*
[image: image.png]

*v12.1.0 Results*
[image: image.png]
RADIUS Tab:
[image: image.png]

*v12.2.0 Results*
[image: image.png]

RADIUS Tab:
[image: image.png]


Thanks!
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users