Hi Andy,
Unless you are doing something really special, you shouldn't have to add a
RADIUS source to your authentication.conf.
That would only create a loop if you were to send the request to the local FR
server (where it came from to begin with).
The RADIUS source is meant to query a separate RADIUS server, if you have one.
What you need is an authentication source that PF can query to assign a role to
the user (by this point username/password should have been done).
LDAP is the easiest one. You can define a rule that queries for that RADIUS
username and assign a role based on the groups the user is a member of. If you
assign a higher precedence to a rule that assigns it based on the username it
would do what you are looking for.
To be clear, the username that will be used to query the LDAP server (if any)
will be the RADIUS username. That's where the query gets it from.
As an aside, is FreeRADIUS even listening on localhost:1812?
I'll show you mine if you show me yours:
pf4test-lm root: /usr/local/pf
# netstat -unlp | grep :1812
udp 0 0 172.21.2.127:1812 0.0.0.0:*
12738/radiusd
udp 0 0 127.0.0.1:18120 0.0.0.0:*
12738/radiusd
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 *125 :: +1 (866) 353-6153
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 2013-08-13, at 8:52 , "Morris, Andi" <[email protected]> wrote:
> Hi all,
> I appreciate that there’s a lot going on with the last minute patching of new
> versions etc, so there’s no urgency with this as I’m just playing on a dev
> network. I’m currently running 4.0.4-2 on a redhat 6.4 box
>
> I’d like to get roles assigned depending on the username received from the
> radius server, hopefully extending this out to separate our local users from
> eduroam visitors, but at the moment my radius source doesn’t seem to like the
> rule I’ve applied to it and results in no matches:
> [packetfence.log]
> Aug 13 13:16:05 pf::WebAPI(3884) INFO: autoregister a node that is already
> registered, do nothing. (pf::node::node_register)
> Aug 13 13:16:05 pf::WebAPI(3884) INFO: Username was NOT defined or unable to
> match a role - returning node based role '' (pf::vlan::getNormalVlan)
> Aug 13 13:16:05 pf::WebAPI(3884) WARN: No parameter Vlan found in
> conf/switches.conf for the switch 1.2.3.4 (pf::SNMP::getVlanByName)
> Aug 13 13:16:05 pf::WebAPI(3884) WARN: Resolved VLAN for node is not properly
> defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode)
> Aug 13 13:16:05 pf::WebAPI(3884) INFO: MAC: 00:24:54:42:86:04, PID: sm12345,
> Status: reg. Returned VLAN: 62 (pf::vlan::fetchVlanForNode)
> Aug 13 13:16:05 pf::WebAPI(3884) WARN: Role-based Network Access Control is
> not supported on network device type pf::SNMP::Cisco::Catalyst_2960.
> (pf::SNMP::supportsRoleBasedEnforcement)
> Aug 13 13:16:09 pf::WebAPI(3885) INFO: handling radius autz request: from
> switch_ip => 1.2.3.4, connection_type => Ethernet-EAP mac =>
> 00:24:54:42:86:04, port => 50001, username => sm12345 (pf::radius::authorize)
>
> My authentication.conf looks like:
> [PF_Radius]
> description=Packetfence Radius Server
> secret=testing123
> port=1812
> type=RADIUS
> host=127.0.0.1
>
> [PF_Radius rule Staff_radius]
> description=
> match=all
> action0=set_role=Staff
> action1=set_unreg_date=2013-08-31
> condition0=username,starts,sm
>
> I’m trying to get any username beginning with ‘sm’ to be given the staff role.
>
> Cheers,
> Andi
>
> -------------------------------------
> Andi Morris
> IT Security Officer
> Cardiff Metropolitan University
> T: 02920 205720
> E: [email protected]
> --------------------------------------
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
