Hi James, maybe not, but I don't understand, which profile are we talking about? The portal profile? I have never touched that part of configuration since I don't use a captive portal when I do dot1x machine auth.
Diego ----- Original Message ----- From: "James Rouzier" <[email protected]> To: [email protected] Sent: Friday, March 27, 2015 6:12:36 PM Subject: Re: [PacketFence-users] exclusive sources Diego, Packetfence only excludes exclusive sources when there are no sources defined for a profile. Have you added the blackhole source explicitly to your profile? James Rouzier [email protected] :: +1.514.755.3630 :: http://www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://www.packetfence.org) On 2015-03-27 12:59 PM, Diego Bonfigli wrote: > Hello Fabrice, > > I'm doing wired authentication with cisco switches, packetfence is in vlan > enforcement mode. > > I want to authenticate PCs via dot1x, since my cisco switches support dot1x > (and mab too, but let's talk about dot1x now; also, we are not talking about > captive portal in this issue). > > I configured the mschap module in raddb of Packetfence, winbind, ntlm_auth > and all. > The radius server is authenticating the computers just fine (machine > authentication). > > At this point, packetfence must answer with a vlan (number or name) to the > switch. But, without further configurations, packetfence put the computer in > the isolation vlan because packetfence doesn't know which vlan to answer (no > role). > > I need to set the role of the PC to make packetfence answer with a vlan, > i.e., I need rules so that packetfence set the role of the authenticated node. > > Via web, under user source section, or via the config file > authentication.conf, I can create authentication sources and rules that are > executed when an authentication method matches, for example, put the computer > in a specific role. That is JUST what I need. > > Now, since I already authenticated the PC via ntlm_auth, I don't need to > configure another user source, I just need to make packetfence use a rule to > put the node in a role. > > There are "internal sources", "external sources" and "exclusive sources". > > At this step, because my PC are already authenticated via ntlm_auth in the > mschap module, I don't want to authenticate the PC another time, I just want > that, if the connetion type is EAP then put the node in a role. > > So I used a Blackhole source. > Under "Exclusive Sources" via the web configurator. The rule is: > "if any f the following conditions are met: 'connection type is Ethernet EAP' > then Perform the following actions: 'set role default'" > that packetfence traduces in the file authentication.conf this way: > > [fallback-dot1x rule internal-net] > description= > match=any > action0=set_role=default > action1=set_access_duration=1h > condition0=connection_type,is,Ethernet-EAP > > > Good. But it was not working. The rule is just never matched. It turned out > that packetfence 4.7.0 filter away the "exclusive sources". This is done > exactly in this point in the code: at line 68 in the file > lib/pf/Portal/ProfileFactory.pm in the sub _from_profile that I write here > for clarity: > >> unless ( defined $sources && ref($sources) eq 'ARRAY' && @$sources ) { >> $profile{'sources'} = $sources = [ >> map { $_->id } >> grep { $_->class ne 'exclusive' } >> @{ pf::authentication::getAllAuthenticationSources() } >> ]; >> } >> > You see here that the code just exclude via a map grep the "exclusive > sources". > > That took me several hours to debug. Now I fixed it for my installation and > eveything is working just fine as I wanted. > > It is true that the configurator webpage says: "Each portal profile must be > associated with one or multiple authentication sources while 802.1X > connections use the ordered internal sources to determine which role to use. > External sources are never used with 802.1X connections.", i.e., there is no > "Exclusive sources" mentions, but I think that code snippet I pointed out > just filter the "exclusive sources" globally, in any part of packetfence. > > I just wanted to know why the filter in the code to exclude the exclusive > sources I needed. > Is there a technical reason? are they not supported yet? Why it is not a > config that you can override? > > Thanks, > Diego > > ----- Original Message ----- > From: "Durand fabrice" <[email protected]> > To: [email protected] > Sent: Friday, March 27, 2015 2:48:05 PM > Subject: Re: [PacketFence-users] exclusive sources > > Hello Diego, > > do you have a little bit more details about what you want to achieve ? > (With more details i will probably be able to have a more precise answer) > > Blackhole is use per example when you connect to an ssid and hit the > portal and you will see just an AUP without login button. > It's generaly used when you want to manually register devices and tell > the user that try to connect the procedure to allow the device (like > call the support...) > > Regards > Fabrice > > > Le 2015-03-27 07:29, Diego Bonfigli a écrit : >> Hi all, >> I'm using packetfence 4.7.0. >> >> I wanted to known why "exclusive sources" in user authentication are >> disabled in the code. >> The file lib/pf/Portal/ProfileFactory.pm has a sub, sub _from_profile, where >> you exclude that source: >> >> unless ( defined $sources && ref($sources) eq 'ARRAY' && @$sources ) { >> $profile{'sources'} = $sources = [ >> map { $_->id } >> grep { $_->class ne 'exclusive' } >> @{ pf::authentication::getAllAuthenticationSources() } >> ]; >> } >> >> I'm using ntlm_auth to do dot1x machine authentication, and, if I don't use >> any source specified in packetfence (the one that you define in >> authentication.conf), a node is not put in any role, so I need the exclusive >> source Blackhole. >> >> Why is that way? Is there a technical reason? are they not supported yet? >> Why it is not a config that you can override? >> >> Diego >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming The Go Parallel Website, >> sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub for >> all >> things parallel software development, from weekly thought leadership blogs to >> news, videos, case studies, tutorials and more. Take a look and join the >> conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Dr. Diego Bonfigli tel: 366 5898323 email: [email protected] Laboratori Guglielmo Marconi - www.labs.it ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
