Thanks Fabrice,
It seems to be working a lot closer to how I require it now.
Non-domain PC - mac auth - fail
- user auth - BYOD
Domain PC - mac auth - domain_PCs
- user auth - domain_users
However, if I disable a domain PC account after it has previously connected, I
get the following:
Disabled domain PC - mac auth - fail
- user auth - domain_users
I was hoping that this would come out with the user auth being BYOD.
The only way I can get a disabled domain PC to authenticate as:
Mach auth - fail
User auth - byod
is if I remove any trace of the domain PC from packetfence, so unreg the node,
and wait for cleanup to get rid of it.
I'm guessing that this is because PacketFence is aware that this PC has
authenticated with mach auth in the past, and is therefore passing the machine
filter:
[machine]
filter = node_info
attribute = machine_account
operator = defined
value = test
Can you think of a way to do this?
Cheers,
Andi
-----Original Message-----
From: Fabrice Durand [mailto:[email protected]]
Sent: 04 May 2016 16:57
To: [email protected]
Subject: Re: [PacketFence-users] computer / user auth when onsite and offsite
Hello Andi,
defined just mean that the value is defined, value is just mandatory because
the vlan filter need it but it can be a random value.
Regards
Fabrice
Le Mercredi, Mai 04, 2016 11:20 EDT, "Morris, Andi" <[email protected]>
a écrit:
> I can now see that the filter you gave me does somehow differentiate this.
>
> Can you please explain what the "operator = defined" line actually does? It
> doesn't seem to matter what I put in the value section. Is this looking to
> see whether Packetfence has the computer name in its database?
>
> Cheers,
> Andi
>
> -----Original Message-----
> From: Morris, Andi [mailto:[email protected]]
> Sent: 04 May 2016 15:00
> To: [email protected]
> Subject: Re: [PacketFence-users] computer / user auth when onsite and
> offsite
>
> Essentially the logic would be:
>
> If domain_PC
> - add to domain_PC role
> If domain_PC && domain_user
> - add to domain_PC role
> If domain_user && !domain_PC
> - add to byod_home role
> If eduroam_visitor
> - add to byod_visitor role
>
> Cheers,
> Andi
>
> -----Original Message-----
> From: Morris, Andi [mailto:[email protected]]
> Sent: 04 May 2016 14:37
> To: [email protected]
> Subject: Re: [PacketFence-users] computer / user auth when onsite and
> offsite
>
> Hi Fabrice,
> Thanks for your reply.
>
> That looks good, although I'd need to add all of our individual computer
> accounts in that OU to the rule. Is it possible to do any kind of
> Distinguished Name match in the vlan filters? I was trying to do this with
> sources as this can do the ldap lookup, but I couldn't get it to work.
>
> Cheers,
> Andi
>
> -----Original Message-----
> From: Fabrice Durand [mailto:[email protected]]
> Sent: 04 May 2016 14:09
> To: [email protected]
> Subject: Re: [PacketFence-users] computer / user auth when onsite and
> offsite
>
> Hello Andi,
>
> if machine_account is set then it mean that it did machine authentication.
> So in your filter you can use the attribute node.machine_account, like that:
>
> [machine]
> filter = node_info
> attribute = machine_account
> operator = defined
> │
> value = robert
>
>
>
> Regards
> Fabrice
>
> Le Mercredi, Mai 04, 2016 08:53 EDT, "Morris, Andi"
> <[email protected]> a écrit:
>
> > Hi all,
> >
> > I'm trying to work out a way to have domain PCs to authenticate with
> > computer auth, but the device falling back to user auth so that if it's
> > offsite it will use the user auth credentials to authenticate at other
> > eduroam sites. What's happening at the moment is that the device
> > authenticates using machine auth before the user logs in, which is great,
> > however once the user logs in the user authentication takes over, and
> > packetfence gives the relevant user role and the vlan is changed to the
> > byod vlan.
> >
> > What I'd like to do would be for packetfence to check if that user is
> > logging in using a domain PC, and if so give it one role, and if they're
> > using a non domain PC to give the byod role.
> >
> > Is there a way using filters, or sources to achieve this? I currently use
> > vlan_filters to autoreg devices, and to work out if a user is an eduroam
> > visitor to our network. We use sources to evaluate if the device is a
> > computer auth from a certain OU, and another source to evaluate if the user
> > is a local user.
> >
> > authentication.conf:
> >
> > [AD]
> > description=DC1
> > password=password
> > scope=sub
> > binddn=CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> > basedn=OU=User Accounts, DC=internal,DC=domain,DC=com
> > email_attribute=mail usernameattribute=sAMAccountName
> > connection_timeout=5
> > stripped_user_name=yes
> > encryption=none
> > dynamic_routing_module=AuthModule
> > port=389
> > type=AD
> > host=192.168.1.1
> >
> > [AD rule Full_Web_Admin]
> > description=
> > class=administration
> > match=any
> > action0=set_access_level=ALL
> > condition0=memberOf,is member
> > of,CN=Admins,OU=Staff,DC=internal,DC=domain,DC=com
> >
> > [AD rule Helpdesk_Access]
> > description=
> > class=administration
> > match=any
> > action0=set_access_level=Node Manager condition0=memberOf,is member
> > of, CN=Helpdesk,OU=Staff,DC=internal,DC=domain,DC=com
> >
> > [Windows_10_beta]
> > description=Test for Windows 10 PCs
> > password=password
> > scope=sub
> > binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> > basedn= OU=Computer Accounts, DC=internal,DC=domain,DC=com
> > email_attribute=mail usernameattribute=servicePrincipalName
> > connection_timeout=5
> > stripped_user_name=no
> > encryption=none
> > dynamic_routing_module=AuthModule
> > port=389
> > type=AD
> > host=192.168.1.1
> >
> > [Windows_10_beta rule Domain_PCs]
> > description=
> > class=authentication
> > match=all
> > action0=set_role=domain_PCs
> > action1=set_access_duration=6M
> >
> > [home_users]
> > description=home_users
> > password=password
> > scope=sub
> > binddn= CN=ldapuser,CN=Users,DC=internal,DC=domain,DC=com
> > basedn= OU=User Accounts, DC=internal,DC=domain,DC=com
> > email_attribute=mail usernameattribute=sAMAccountName
> > connection_timeout=5
> > stripped_user_name=yes
> > encryption=none
> > dynamic_routing_module=AuthModule
> > port=389
> > type=AD
> > host=192.168.1.1
> >
> > [home_users rule home_users]
> > description=
> > class=authentication
> > match=all
> > action0=set_role=eduroam_home_byod
> > action1=set_access_duration=3M
> >
> >
> > vlan_filters.conf
> >
> > [machineauth]
> > filter = user_name
> > operator = match
> > value = host/
> >
> > [visiting_user]
> > filter = user_name
> > operator = regex_not
> > value =
> > ^(.+@[Cc][Aa][Rr][Dd][Ii][Ff][Ff][Mm][Ee][Tt]\.[Aa][Cc]\.[Uu][Kk]$|.
> > +@[Uu][Ww][Ii][Cc]\.[Aa][Cc]\.[Uu][Kk]$)
> >
> > [eduroam_dev]
> > filter = ssid
> > operator = is
> > value = eduroam_dev
> >
> > [autoreg:home_user]
> > scope = AutoRegister
> > role = eduroam_home_byod
> >
> > [autoreg:machineauth]
> > scope = AutoRegister
> > role = domain_PCs
> >
> > [autoreg:visiting_user&eduroam_dev&!machineauth]
> > scope = AutoRegister
> > role = eduroam_visitors
> >
> > [2:visiting_user&eduroam_dev&!machineauth]
> > scope = RegisteredRole
> > role = eduroam_visitors
> > action = modify_node
> > action_param = mac = $mac, category = eduroam_visitors, unregdate =
> > 1M
> >
> > Cheers,
> > Andi
> > ________________________________
> >
> > [Cardiff Metropolitan University - 150 years of nurturing
> > talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
>
>
> ----------------------------------------------------------------------
> -------- Find and fix application performance issues faster with
> Applications Manager Applications Manager provides deep performance
> insights into multiple tiers of your business applications. It
> resolves application problems quickly and reduces your MTTR. Get your
> free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> ----------------------------------------------------------------------
> -------- Find and fix application performance issues faster with
> Applications Manager Applications Manager provides deep performance
> insights into multiple tiers of your business applications. It
> resolves application problems quickly and reduces your MTTR. Get your
> free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> ----------------------------------------------------------------------
> -------- Find and fix application performance issues faster with
> Applications Manager Applications Manager provides deep performance
> insights into multiple tiers of your business applications. It
> resolves application problems quickly and reduces your MTTR. Get your
> free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> ----------------------------------------------------------------------
> -------- Find and fix application performance issues faster with
> Applications Manager Applications Manager provides deep performance
> insights into multiple tiers of your business applications. It
> resolves application problems quickly and reduces your MTTR. Get your
> free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
