Hello Andi,
if machine_account is set then it mean that it did machine authentication.
So in your filter you can use the attribute node.machine_account, like that:
[machine]
filter = node_info
attribute = machine_account
operator = defined
│
value = robert
Regards
Fabrice
Le Mercredi, Mai 04, 2016 08:53 EDT, "Morris, Andi" <[email protected]>
a écrit:
> Hi all,
>
> I'm trying to work out a way to have domain PCs to authenticate with computer
> auth, but the device falling back to user auth so that if it's offsite it
> will use the user auth credentials to authenticate at other eduroam sites.
> What's happening at the moment is that the device authenticates using machine
> auth before the user logs in, which is great, however once the user logs in
> the user authentication takes over, and packetfence gives the relevant user
> role and the vlan is changed to the byod vlan.
>
> What I'd like to do would be for packetfence to check if that user is logging
> in using a domain PC, and if so give it one role, and if they're using a non
> domain PC to give the byod role.
>
> Is there a way using filters, or sources to achieve this? I currently use
> vlan_filters to autoreg devices, and to work out if a user is an eduroam
> visitor to our network. We use sources to evaluate if the device is a
> computer auth from a certain OU, and another source to evaluate if the user
> is a local user.
>
> authentication.conf:
>
> [AD]
> description=DC1
> password=password
> scope=sub
> binddn=CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn=OU=User Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=sAMAccountName
> connection_timeout=5
> stripped_user_name=yes
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
>
> [AD rule Full_Web_Admin]
> description=
> class=administration
> match=any
> action0=set_access_level=ALL
> condition0=memberOf,is member
> of,CN=Admins,OU=Staff,DC=internal,DC=domain,DC=com
>
> [AD rule Helpdesk_Access]
> description=
> class=administration
> match=any
> action0=set_access_level=Node Manager
> condition0=memberOf,is member of,
> CN=Helpdesk,OU=Staff,DC=internal,DC=domain,DC=com
>
> [Windows_10_beta]
> description=Test for Windows 10 PCs
> password=password
> scope=sub
> binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn= OU=Computer Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=servicePrincipalName
> connection_timeout=5
> stripped_user_name=no
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
>
> [Windows_10_beta rule Domain_PCs]
> description=
> class=authentication
> match=all
> action0=set_role=domain_PCs
> action1=set_access_duration=6M
>
> [home_users]
> description=home_users
> password=password
> scope=sub
> binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> basedn= OU=User Accounts, DC=internal,DC=domain,DC=com
> email_attribute=mail
> usernameattribute=sAMAccountName
> connection_timeout=5
> stripped_user_name=yes
> encryption=none
> dynamic_routing_module=AuthModule
> port=389
> type=AD
> host=192.168.1.1
>
> [home_users rule home_users]
> description=
> class=authentication
> match=all
> action0=set_role=eduroam_home_byod
> action1=set_access_duration=3M
>
>
> vlan_filters.conf
>
> [machineauth]
> filter = user_name
> operator = match
> value = host/
>
> [visiting_user]
> filter = user_name
> operator = regex_not
> value =
> ^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$)
>
> [eduroam_dev]
> filter = ssid
> operator = is
> value = eduroam_dev
>
> [autoreg:home_user]
> scope = AutoRegister
> role = eduroam_home_byod
>
> [autoreg:machineauth]
> scope = AutoRegister
> role = domain_PCs
>
> [autoreg:visiting_user&eduroam_dev&!machineauth]
> scope = AutoRegister
> role = eduroam_visitors
>
> [2:visiting_user&eduroam_dev&!machineauth]
> scope = RegisteredRole
> role = eduroam_visitors
> action = modify_node
> action_param = mac = $mac, category = eduroam_visitors, unregdate = 1M
>
> Cheers,
> Andi
> ________________________________
>
> [Cardiff Metropolitan University - 150 years of nurturing
> talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
