Hi all,
I'm trying to work out a way to have domain PCs to authenticate with computer
auth, but the device falling back to user auth so that if it's offsite it will
use the user auth credentials to authenticate at other eduroam sites. What's
happening at the moment is that the device authenticates using machine auth
before the user logs in, which is great, however once the user logs in the user
authentication takes over, and packetfence gives the relevant user role and the
vlan is changed to the byod vlan.
What I'd like to do would be for packetfence to check if that user is logging
in using a domain PC, and if so give it one role, and if they're using a non
domain PC to give the byod role.
Is there a way using filters, or sources to achieve this? I currently use
vlan_filters to autoreg devices, and to work out if a user is an eduroam
visitor to our network. We use sources to evaluate if the device is a computer
auth from a certain OU, and another source to evaluate if the user is a local
user.
authentication.conf:
[AD]
description=DC1
password=password
scope=sub
binddn=CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
basedn=OU=User Accounts, DC=internal,DC=domain,DC=com
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=192.168.1.1
[AD rule Full_Web_Admin]
description=
class=administration
match=any
action0=set_access_level=ALL
condition0=memberOf,is member of,CN=Admins,OU=Staff,DC=internal,DC=domain,DC=com
[AD rule Helpdesk_Access]
description=
class=administration
match=any
action0=set_access_level=Node Manager
condition0=memberOf,is member of,
CN=Helpdesk,OU=Staff,DC=internal,DC=domain,DC=com
[Windows_10_beta]
description=Test for Windows 10 PCs
password=password
scope=sub
binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
basedn= OU=Computer Accounts, DC=internal,DC=domain,DC=com
email_attribute=mail
usernameattribute=servicePrincipalName
connection_timeout=5
stripped_user_name=no
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=192.168.1.1
[Windows_10_beta rule Domain_PCs]
description=
class=authentication
match=all
action0=set_role=domain_PCs
action1=set_access_duration=6M
[home_users]
description=home_users
password=password
scope=sub
binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
basedn= OU=User Accounts, DC=internal,DC=domain,DC=com
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=192.168.1.1
[home_users rule home_users]
description=
class=authentication
match=all
action0=set_role=eduroam_home_byod
action1=set_access_duration=3M
vlan_filters.conf
[machineauth]
filter = user_name
operator = match
value = host/
[visiting_user]
filter = user_name
operator = regex_not
value =
^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$)
[eduroam_dev]
filter = ssid
operator = is
value = eduroam_dev
[autoreg:home_user]
scope = AutoRegister
role = eduroam_home_byod
[autoreg:machineauth]
scope = AutoRegister
role = domain_PCs
[autoreg:visiting_user&eduroam_dev&!machineauth]
scope = AutoRegister
role = eduroam_visitors
[2:visiting_user&eduroam_dev&!machineauth]
scope = RegisteredRole
role = eduroam_visitors
action = modify_node
action_param = mac = $mac, category = eduroam_visitors, unregdate = 1M
Cheers,
Andi
________________________________
[Cardiff Metropolitan University - 150 years of nurturing
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
