Re: [PacketFence-users] How do I exempt autoregistration in a connection profile when node has role REJECT?
Interesting, thanks, Fabrice I wonder what is “black_hole” type is ? Eugene From: Fabrice Durand via PacketFence-users Sent: Thursday, December 29, 2022 7:34 AM To: packetfence-users@lists.sourceforge.net Cc: Fabrice Durand Subject: Re: [PacketFence-users] How do I exempt autoregistration in a connection profile when node has role REJECT? Hello David, you have multiple solutions. The first one is to use the filter in the connection profile and the order of the connection profiles. So in advanced filter you can have category equals REJECT and ssid equals secure_ssid and have an authentication source of type black_hole assigned to it. You can also do it with the vlan filter, in the nodeinfoforautoreg scope with something similar to the filter i previously defined in the connection profile and you will define the role REJECT at the end. Regards Fabrice Le mer. 28 déc. 2022 à 15:44, David Herselman via PacketFence-users mailto:packetfence-users@lists.sourceforge.net> > a écrit : Hi, I have a connection profile setup to auto register nodes as a staffbyod role when certain conditions are met. This however then overwrites manual role assignments, for example when I manually update a node to have a role REJECT it gets reset as having a staffbyod role when it reconnects. I attempted to add a filter for last_node equals ‘REJECT’ and node_role equals ‘REJECT’ but this didn’t change the behaviour. Is there possibly a way to filter connection profiles assigning a role when the node is not unregistered? Herewith logs where the node is kicked off the network when the role is changed to ‘REJECT’ and the logs where the client is then recomputed as having the ‘staffbyod’ role when it reconnects: Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) INFO: re-evaluating access (admin_modify called) (pf::enforcement::reevaluate_access) Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) INFO: Instantiate profile 802.1x_EAP (pf::Connection::ProfileFactory::_from_profile) Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) INFO: VLAN reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) INFO: switch port is (172.16.10.53) ifIndex 0connection type: WiFi 802.1X (pf::enforcement::_vlan_reevaluation) Dec 28 19:46:03 packetfence packetfence_httpd.aaa[1554532]: httpd.aaa(759442) WARN: [mac:de:ad:be:ef:de:ad] Firewall SSO Notify (pf::api::firewallsso_accounting) Dec 28 19:46:03 packetfence packetfence_httpd.aaa[1554532]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Sending a firewall SSO 'Stop' request for MAC 'de:ad:be:ef:de:ad' and IP '10.239.239.28' (pf::firewallsso::do_sso) Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) INFO: [mac:de:ad:be:ef:de:ad] [de:ad:be:ef:de:ad] DesAssociating mac on switch (172.16.10.53) (pf::api::desAssociate) Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) INFO: [mac:de:ad:be:ef:de:ad] deauthenticating de:ad:be:ef:de:ad (pf::Switch::Mikrotik::radiusDisconnect) Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) ERROR: [mac:de:ad:be:ef:de:ad] Trying to save a NULL value in a non nullable field radius_audit_log.mac (pf::dal::validate_field) Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) ERROR: [mac:de:ad:be:ef:de:ad] Skipping invalid value (NULL) in when inserting field radius_audit_log.mac (pf::dal::_insert_data) Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) WARN: [mac:de:ad:be:ef:de:ad] Warning: 1364: Field 'mac' doesn't have a default value (pf::dal::db_execute) Dec 28 19:46:06 packetfence packetfence_httpd.aaa[1554532]: httpd.aaa(759442) WARN: [mac:00:22:4d:88:b0:9a] Use of uninitialized value $nas_port in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2470. (pf::Switch::NasPortToIfIndex) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] handling radius autz request: from switch_ip => (172.16.10.53), connection_type => Wireless-802.11-EAP,switch_mac => (02:00:00:aa:00:01), mac => [de:ad:be:ef:de:ad], port => 0, username => "joe.doe", ssid => RedactedWiFi (pf::radius::authorize) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Instantiate profile 802.1x_EAP (pf::Connection::ProfileFactory::_from_profile) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Found authentication source(s) : 'redactedad_users_byod' for realm 'null' (pf::config::util::filter_authentication_sources) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Using sources redactedad_users_byod for matching (pf::authentication:
Re: [PacketFence-users] How do I exempt autoregistration in a connection profile when node has role REJECT?
Hello David, you have multiple solutions. The first one is to use the filter in the connection profile and the order of the connection profiles. So in advanced filter you can have category equals REJECT and ssid equals secure_ssid and have an authentication source of type black_hole assigned to it. You can also do it with the vlan filter, in the nodeinfoforautoreg scope with something similar to the filter i previously defined in the connection profile and you will define the role REJECT at the end. Regards Fabrice Le mer. 28 déc. 2022 à 15:44, David Herselman via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hi, > > > > I have a connection profile setup to auto register nodes as a staffbyod > role when certain conditions are met. This however then overwrites manual > role assignments, for example when I manually update a node to have a role > REJECT it gets reset as having a staffbyod role when it reconnects. > > > > I attempted to add a filter for last_node equals ‘REJECT’ and node_role > equals ‘REJECT’ but this didn’t change the behaviour. Is there possibly a > way to filter connection profiles assigning a role when the node is not > unregistered? > > > > Herewith logs where the node is kicked off the network when the role is > changed to ‘REJECT’ and the logs where the client is then recomputed as > having the ‘staffbyod’ role when it reconnects: > > Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) > INFO: re-evaluating access (admin_modify called) > (pf::enforcement::reevaluate_access) > > Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) > INFO: Instantiate profile 802.1x_EAP > (pf::Connection::ProfileFactory::_from_profile) > > Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) > INFO: VLAN reassignment is forced. > (pf::enforcement::_should_we_reassign_vlan) > > Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) > INFO: switch port is (172.16.10.53) ifIndex 0connection type: WiFi 802.1X > (pf::enforcement::_vlan_reevaluation) > > Dec 28 19:46:03 packetfence packetfence_httpd.aaa[1554532]: > httpd.aaa(759442) WARN: [mac:de:ad:be:ef:de:ad] Firewall SSO Notify > (pf::api::firewallsso_accounting) > > Dec 28 19:46:03 packetfence packetfence_httpd.aaa[1554532]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Sending a firewall SSO > 'Stop' request for MAC 'de:ad:be:ef:de:ad' and IP '10.239.239.28' > (pf::firewallsso::do_sso) > > Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) INFO: > [mac:de:ad:be:ef:de:ad] [de:ad:be:ef:de:ad] DesAssociating mac on switch > (172.16.10.53) (pf::api::desAssociate) > > Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) INFO: > [mac:de:ad:be:ef:de:ad] deauthenticating de:ad:be:ef:de:ad > (pf::Switch::Mikrotik::radiusDisconnect) > > Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) ERROR: > [mac:de:ad:be:ef:de:ad] Trying to save a NULL value in a non nullable field > radius_audit_log.mac (pf::dal::validate_field) > > Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) ERROR: > [mac:de:ad:be:ef:de:ad] Skipping invalid value (NULL) in when inserting > field radius_audit_log.mac (pf::dal::_insert_data) > > Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) WARN: > [mac:de:ad:be:ef:de:ad] Warning: 1364: Field 'mac' doesn't have a default > value (pf::dal::db_execute) > > Dec 28 19:46:06 packetfence packetfence_httpd.aaa[1554532]: > httpd.aaa(759442) WARN: [mac:00:22:4d:88:b0:9a] Use of uninitialized value > $nas_port in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm > line 2470. (pf::Switch::NasPortToIfIndex) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] handling radius autz > request: from switch_ip => (172.16.10.53), connection_type => > Wireless-802.11-EAP,switch_mac => (02:00:00:aa:00:01), mac => > [de:ad:be:ef:de:ad], port => 0, username => "joe.doe", ssid => RedactedWiFi > (pf::radius::authorize) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Instantiate profile > 802.1x_EAP (pf::Connection::ProfileFactory::_from_profile) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Found authentication > source(s) : 'redactedad_users_byod' for realm 'null' > (pf::config::util::filter_authentication_sources) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Using sources > redactedad_users_byod for matching (pf::authentication::match2) > > Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: > httpd.aaa(759442) WARN: [mac:de:ad:be:ef:de:ad] [redactedad_users_byod > staff] Searching for > (&(sAMAccountName=joe.doe)(memberOf=CN=redacted,OU=Redacted,OU=Security > Groups,OU=Redacted,DC=ad,DC=redacted)), from >
[PacketFence-users] How do I exempt autoregistration in a connection profile when node has role REJECT?
Hi, I have a connection profile setup to auto register nodes as a staffbyod role when certain conditions are met. This however then overwrites manual role assignments, for example when I manually update a node to have a role REJECT it gets reset as having a staffbyod role when it reconnects. I attempted to add a filter for last_node equals 'REJECT' and node_role equals 'REJECT' but this didn't change the behaviour. Is there possibly a way to filter connection profiles assigning a role when the node is not unregistered? Herewith logs where the node is kicked off the network when the role is changed to 'REJECT' and the logs where the client is then recomputed as having the 'staffbyod' role when it reconnects: Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) INFO: re-evaluating access (admin_modify called) (pf::enforcement::reevaluate_access) Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) INFO: Instantiate profile 802.1x_EAP (pf::Connection::ProfileFactory::_from_profile) Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) INFO: VLAN reassignment is forced. (pf::enforcement::_should_we_reassign_vlan) Dec 28 19:46:02 packetfence packetfence[1589245]: pfperl-api(1589245) INFO: switch port is (172.16.10.53) ifIndex 0connection type: WiFi 802.1X (pf::enforcement::_vlan_reevaluation) Dec 28 19:46:03 packetfence packetfence_httpd.aaa[1554532]: httpd.aaa(759442) WARN: [mac:de:ad:be:ef:de:ad] Firewall SSO Notify (pf::api::firewallsso_accounting) Dec 28 19:46:03 packetfence packetfence_httpd.aaa[1554532]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Sending a firewall SSO 'Stop' request for MAC 'de:ad:be:ef:de:ad' and IP '10.239.239.28' (pf::firewallsso::do_sso) Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) INFO: [mac:de:ad:be:ef:de:ad] [de:ad:be:ef:de:ad] DesAssociating mac on switch (172.16.10.53) (pf::api::desAssociate) Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) INFO: [mac:de:ad:be:ef:de:ad] deauthenticating de:ad:be:ef:de:ad (pf::Switch::Mikrotik::radiusDisconnect) Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) ERROR: [mac:de:ad:be:ef:de:ad] Trying to save a NULL value in a non nullable field radius_audit_log.mac (pf::dal::validate_field) Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) ERROR: [mac:de:ad:be:ef:de:ad] Skipping invalid value (NULL) in when inserting field radius_audit_log.mac (pf::dal::_insert_data) Dec 28 19:46:03 packetfence pfqueue[1604847]: pfqueue(1604847) WARN: [mac:de:ad:be:ef:de:ad] Warning: 1364: Field 'mac' doesn't have a default value (pf::dal::db_execute) Dec 28 19:46:06 packetfence packetfence_httpd.aaa[1554532]: httpd.aaa(759442) WARN: [mac:00:22:4d:88:b0:9a] Use of uninitialized value $nas_port in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 2470. (pf::Switch::NasPortToIfIndex) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] handling radius autz request: from switch_ip => (172.16.10.53), connection_type => Wireless-802.11-EAP,switch_mac => (02:00:00:aa:00:01), mac => [de:ad:be:ef:de:ad], port => 0, username => "joe.doe", ssid => RedactedWiFi (pf::radius::authorize) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Instantiate profile 802.1x_EAP (pf::Connection::ProfileFactory::_from_profile) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Found authentication source(s) : 'redactedad_users_byod' for realm 'null' (pf::config::util::filter_authentication_sources) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Using sources redactedad_users_byod for matching (pf::authentication::match2) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) WARN: [mac:de:ad:be:ef:de:ad] [redactedad_users_byod staff] Searching for (&(sAMAccountName=joe.doe)(memberOf=CN=redacted,OU=Redacted,OU=Security Groups,OU=Redacted,DC=ad,DC=redacted)), from OU=Users,OU=Redacted,DC=ad,DC=redacted, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Matched rule (staff) in source redactedad_users_byod, returning actions. (pf::Authentication::Source::match_rule) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Matched rule (staff) in source redactedad_users_byod, returning actions. (pf::Authentication::Source::match) Dec 28 19:46:12 packetfence packetfence_httpd.aaa[1581156]: httpd.aaa(759442) INFO: [mac:de:ad:be:ef:de:ad] Found authentication source(s) : 'redactedad_users_byod' for realm 'null' (pf::config::util::filter_authentication_sources) Dec 28 19:46:12