Hi Fabrice, now I started to get it, I must use the vlan_filters.conf file and a new portal profile.
Only a thing, why using an AD source at all instead of a Blackhole source? The machine is already authenticatend via ntlm_auth, otherwise radius send a reject answer, I don't want to put other sources like AD, does it seems right? Diego ----- Original Message ----- From: "Durand fabrice" <[email protected]> To: [email protected] Sent: Friday, March 27, 2015 6:38:35 PM Subject: Re: [PacketFence-users] exclusive sources Hello Diego, this is clear now for me. So first you must configure a AD source like this (let's say ComputerSource): https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Administration_Guide.asciidoc#example with username attribute = servicePrincipalName and add a cat_all rules without condition and assign a role and a access duration. Next, create a portal profile (let's say name = EAP_Ethernet_Connection)with a filter connection type = Ethernet-EAP and add ComputerSource authentication source Then edit /usr/local/pf/conf/vlan_filters.conf and add this (it mean autoregister machine authentication for Ethernet EAP connection): [machineauth] filter = username operator = match value = host\/ [EthernetEAP] filter = connection_type operator = match value = Ethernet-EAP [1:EthernetEAP&machineauth] scope = AutoRegister role = default If you want to enable the same thing for user auth then create a UserSource (username attribute = sAMAccountName) and add it to the EAP_Ethernet_Connection portal profile) and change the vlan_filters.conf like this: [EthernetEAP] filter = connection_type operator = match value = Ethernet-EAP [1:EthernetEAP] scope = AutoRegister role = default Regards Fabrice Le 2015-03-27 12:59, Diego Bonfigli a écrit : > Hello Fabrice, > > I'm doing wired authentication with cisco switches, packetfence is in vlan > enforcement mode. > > I want to authenticate PCs via dot1x, since my cisco switches support dot1x > (and mab too, but let's talk about dot1x now; also, we are not talking about > captive portal in this issue). > > I configured the mschap module in raddb of Packetfence, winbind, ntlm_auth > and all. > The radius server is authenticating the computers just fine (machine > authentication). > > At this point, packetfence must answer with a vlan (number or name) to the > switch. But, without further configurations, packetfence put the computer in > the isolation vlan because packetfence doesn't know which vlan to answer (no > role). > > I need to set the role of the PC to make packetfence answer with a vlan, > i.e., I need rules so that packetfence set the role of the authenticated node. > > Via web, under user source section, or via the config file > authentication.conf, I can create authentication sources and rules that are > executed when an authentication method matches, for example, put the computer > in a specific role. That is JUST what I need. > > Now, since I already authenticated the PC via ntlm_auth, I don't need to > configure another user source, I just need to make packetfence use a rule to > put the node in a role. > > There are "internal sources", "external sources" and "exclusive sources". > > At this step, because my PC are already authenticated via ntlm_auth in the > mschap module, I don't want to authenticate the PC another time, I just want > that, if the connetion type is EAP then put the node in a role. > > So I used a Blackhole source. > Under "Exclusive Sources" via the web configurator. The rule is: > "if any f the following conditions are met: 'connection type is Ethernet EAP' > then Perform the following actions: 'set role default'" > that packetfence traduces in the file authentication.conf this way: > > [fallback-dot1x rule internal-net] > description= > match=any > action0=set_role=default > action1=set_access_duration=1h > condition0=connection_type,is,Ethernet-EAP > > > Good. But it was not working. The rule is just never matched. It turned out > that packetfence 4.7.0 filter away the "exclusive sources". This is done > exactly in this point in the code: at line 68 in the file > lib/pf/Portal/ProfileFactory.pm in the sub _from_profile that I write here > for clarity: > >> unless ( defined $sources && ref($sources) eq 'ARRAY' && @$sources ) { >> $profile{'sources'} = $sources = [ >> map { $_->id } >> grep { $_->class ne 'exclusive' } >> @{ pf::authentication::getAllAuthenticationSources() } >> ]; >> } >> > You see here that the code just exclude via a map grep the "exclusive > sources". > > That took me several hours to debug. Now I fixed it for my installation and > eveything is working just fine as I wanted. > > It is true that the configurator webpage says: "Each portal profile must be > associated with one or multiple authentication sources while 802.1X > connections use the ordered internal sources to determine which role to use. > External sources are never used with 802.1X connections.", i.e., there is no > "Exclusive sources" mentions, but I think that code snippet I pointed out > just filter the "exclusive sources" globally, in any part of packetfence. > > I just wanted to know why the filter in the code to exclude the exclusive > sources I needed. > Is there a technical reason? are they not supported yet? Why it is not a > config that you can override? > > Thanks, > Diego > > ----- Original Message ----- > From: "Durand fabrice" <[email protected]> > To: [email protected] > Sent: Friday, March 27, 2015 2:48:05 PM > Subject: Re: [PacketFence-users] exclusive sources > > Hello Diego, > > do you have a little bit more details about what you want to achieve ? > (With more details i will probably be able to have a more precise answer) > > Blackhole is use per example when you connect to an ssid and hit the > portal and you will see just an AUP without login button. > It's generaly used when you want to manually register devices and tell > the user that try to connect the procedure to allow the device (like > call the support...) > > Regards > Fabrice > > > Le 2015-03-27 07:29, Diego Bonfigli a écrit : >> Hi all, >> I'm using packetfence 4.7.0. >> >> I wanted to known why "exclusive sources" in user authentication are >> disabled in the code. >> The file lib/pf/Portal/ProfileFactory.pm has a sub, sub _from_profile, where >> you exclude that source: >> >> unless ( defined $sources && ref($sources) eq 'ARRAY' && @$sources ) { >> $profile{'sources'} = $sources = [ >> map { $_->id } >> grep { $_->class ne 'exclusive' } >> @{ pf::authentication::getAllAuthenticationSources() } >> ]; >> } >> >> I'm using ntlm_auth to do dot1x machine authentication, and, if I don't use >> any source specified in packetfence (the one that you define in >> authentication.conf), a node is not put in any role, so I need the exclusive >> source Blackhole. >> >> Why is that way? Is there a technical reason? are they not supported yet? >> Why it is not a config that you can override? >> >> Diego >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming The Go Parallel Website, >> sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub for >> all >> things parallel software development, from weekly thought leadership blogs to >> news, videos, case studies, tutorials and more. Take a look and join the >> conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Dr. Diego Bonfigli tel: 366 5898323 email: [email protected] Laboratori Guglielmo Marconi - www.labs.it ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
