I can now see that the filter you gave me does somehow differentiate this. Can you please explain what the "operator = defined" line actually does? It doesn't seem to matter what I put in the value section. Is this looking to see whether Packetfence has the computer name in its database?
Cheers, Andi -----Original Message----- From: Morris, Andi [mailto:[email protected]] Sent: 04 May 2016 15:00 To: [email protected] Subject: Re: [PacketFence-users] computer / user auth when onsite and offsite Essentially the logic would be: If domain_PC - add to domain_PC role If domain_PC && domain_user - add to domain_PC role If domain_user && !domain_PC - add to byod_home role If eduroam_visitor - add to byod_visitor role Cheers, Andi -----Original Message----- From: Morris, Andi [mailto:[email protected]] Sent: 04 May 2016 14:37 To: [email protected] Subject: Re: [PacketFence-users] computer / user auth when onsite and offsite Hi Fabrice, Thanks for your reply. That looks good, although I'd need to add all of our individual computer accounts in that OU to the rule. Is it possible to do any kind of Distinguished Name match in the vlan filters? I was trying to do this with sources as this can do the ldap lookup, but I couldn't get it to work. Cheers, Andi -----Original Message----- From: Fabrice Durand [mailto:[email protected]] Sent: 04 May 2016 14:09 To: [email protected] Subject: Re: [PacketFence-users] computer / user auth when onsite and offsite Hello Andi, if machine_account is set then it mean that it did machine authentication. So in your filter you can use the attribute node.machine_account, like that: [machine] filter = node_info attribute = machine_account operator = defined │ value = robert Regards Fabrice Le Mercredi, Mai 04, 2016 08:53 EDT, "Morris, Andi" <[email protected]> a écrit: > Hi all, > > I'm trying to work out a way to have domain PCs to authenticate with computer > auth, but the device falling back to user auth so that if it's offsite it > will use the user auth credentials to authenticate at other eduroam sites. > What's happening at the moment is that the device authenticates using machine > auth before the user logs in, which is great, however once the user logs in > the user authentication takes over, and packetfence gives the relevant user > role and the vlan is changed to the byod vlan. > > What I'd like to do would be for packetfence to check if that user is logging > in using a domain PC, and if so give it one role, and if they're using a non > domain PC to give the byod role. > > Is there a way using filters, or sources to achieve this? I currently use > vlan_filters to autoreg devices, and to work out if a user is an eduroam > visitor to our network. We use sources to evaluate if the device is a > computer auth from a certain OU, and another source to evaluate if the user > is a local user. > > authentication.conf: > > [AD] > description=DC1 > password=password > scope=sub > binddn=CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com > basedn=OU=User Accounts, DC=internal,DC=domain,DC=com > email_attribute=mail > usernameattribute=sAMAccountName > connection_timeout=5 > stripped_user_name=yes > encryption=none > dynamic_routing_module=AuthModule > port=389 > type=AD > host=192.168.1.1 > > [AD rule Full_Web_Admin] > description= > class=administration > match=any > action0=set_access_level=ALL > condition0=memberOf,is member > of,CN=Admins,OU=Staff,DC=internal,DC=domain,DC=com > > [AD rule Helpdesk_Access] > description= > class=administration > match=any > action0=set_access_level=Node Manager > condition0=memberOf,is member of, > CN=Helpdesk,OU=Staff,DC=internal,DC=domain,DC=com > > [Windows_10_beta] > description=Test for Windows 10 PCs > password=password > scope=sub > binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com > basedn= OU=Computer Accounts, DC=internal,DC=domain,DC=com > email_attribute=mail > usernameattribute=servicePrincipalName > connection_timeout=5 > stripped_user_name=no > encryption=none > dynamic_routing_module=AuthModule > port=389 > type=AD > host=192.168.1.1 > > [Windows_10_beta rule Domain_PCs] > description= > class=authentication > match=all > action0=set_role=domain_PCs > action1=set_access_duration=6M > > [home_users] > description=home_users > password=password > scope=sub > binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com > basedn= OU=User Accounts, DC=internal,DC=domain,DC=com > email_attribute=mail > usernameattribute=sAMAccountName > connection_timeout=5 > stripped_user_name=yes > encryption=none > dynamic_routing_module=AuthModule > port=389 > type=AD > host=192.168.1.1 > > [home_users rule home_users] > description= > class=authentication > match=all > action0=set_role=eduroam_home_byod > action1=set_access_duration=3M > > > vlan_filters.conf > > [machineauth] > filter = user_name > operator = match > value = host/ > > [visiting_user] > filter = user_name > operator = regex_not > value = > ^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.+@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$) > > [eduroam_dev] > filter = ssid > operator = is > value = eduroam_dev > > [autoreg:home_user] > scope = AutoRegister > role = eduroam_home_byod > > [autoreg:machineauth] > scope = AutoRegister > role = domain_PCs > > [autoreg:visiting_user&eduroam_dev&!machineauth] > scope = AutoRegister > role = eduroam_visitors > > [2:visiting_user&eduroam_dev&!machineauth] > scope = RegisteredRole > role = eduroam_visitors > action = modify_node > action_param = mac = $mac, category = eduroam_visitors, unregdate = 1M > > Cheers, > Andi > ________________________________ > > [Cardiff Metropolitan University - 150 years of nurturing > talent]<http://www.cardiffmet.ac.uk/cardiffmet150> ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
