Hi Gábor, what you can try is memberOf is_memberof cn=group,dc=.....
And check with pftest if you rule match. Regards Fabrice Le 2016-03-07 05:57, BARÓCSI Gábor a écrit : > Hi, > > I managed to do make a successful authentication to a win AD. > 802.1x on client side is set to authenticate with username. That works fine, > a source is set up to a win AD checking if user's sAMaccountName exists in > the subtree. > I checked the LDAP query-s on the DC's side. > The problem is, that I also set up Rules in the Source. Rule's class is > authentication. It has only one condition, sAMaccountname is member of > GroupName > Action: > Set_role CompanyRoleForEmployee > > I see that there is no ldap query for testing if the user is in the GroupName > group. Is that a problem? > I set up autoregister in order to not use the captive portal. Now I have two > problems. The group membership is not tested and the client is not set any > vlan. Ofcourse I have already set a vlan for Employees, and if I assign the > client by hand, it is set to the Employee vlan and gets an IP. > > In my pflog I see this: > > Mar 07 11:53:36 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Realm source > is configured in the realm MYDOMAINISHERE but is not in the portal profile. > Ignoring it and using the portal profile sources. > (pf::config::util::get_user_sources) > Mar 07 11:53:36 httpd.aaa(21823) WARN: [mac:ec:f4:bb:10:ad:b7] Calling match > with empty/invalid rule class. Defaulting to 'authentication' > (pf::authentication::match) > Mar 07 11:53:36 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] autoregister a > node that is already registered, do nothing. (pf::node::node_register) > Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Instantiate > profile default (pf::Portal::ProfileFactory::_from_profile) > Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Role has > already been computed and we don't want to recompute it. Getting role from > node_info (pf::role::getRegisteredRole) > Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] Username was > NOT defined or unable to match a role - returning node based role '' > (pf::role::getRegisteredRole) > Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] PID: " > MYDOMAINISHERE \\gbarocsi", Status: reg Returned VLAN: (undefined), Role: > (pf::role::fetchRoleForNode) > Mar 07 11:53:37 httpd.aaa(21823) WARN: [mac:ec:f4:bb:10:ad:b7] No parameter > Vlan found in conf/switches.conf for the switch 10.1.12.49 > (pf::Switch::getVlanByName) > Mar 07 11:53:37 httpd.aaa(21823) INFO: [mac:ec:f4:bb:10:ad:b7] (10.1.12.49) > Returning ACCEPT with VLAN 0 (pf::Switch::returnRadiusAccessAccept) > > > What am I missing? Please help. > > Gábor Barócsi > Network and System Engineer > > > > > > ------------------------------------------------------------------------------ > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://makebettercode.com/inteldaal-eval > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
