Hello all, Inverse folks, 6.5 is really looking good, well done as
usual! I have noted the following on both PF5.4 and 6.5 and would like
some help determining how to accomplish the mission:
I am using the following filters and rules in
/usr/local/pf/conf/vlan_filters.conf:
[WirelessEAP]
filter = connection_type
operator = is
value = Wireless-802.11-EAP
[machineauth]
filter = user_name
operator = match
value = host/
[notempl]
filter=node_info.category
operator=is_not
value=employee
[notreg]
filter=node_info.status
operator=is_not
value=reg
[byod]
filter=ssid
operator=is
value=TCSS-BYOD
[chromebook]
filter=user_name
operator=is
value=chromebook
[notchromebook]
filter=user_name
operator=is_not
value=chromebook
[byod99]
filter=ssid
operator=is
value=TCSS-BYOD-Test99
[update:chromebook]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee
[update2:WirelessEAP&machineauth¬empl]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee
###Machine Auth Autoregister (for onboarding new domain-joined pc) ###
[1:WirelessEAP&machineauth¬reg]
scope = AutoRegister
role = employee
[2:WirelessEAP&machineauth]
scope = NodeInfoForAutoReg
role = employee
###Autoregister BYOD as guest###
[autoreg:notempl&byod]
scope=AutoRegister
role=guest
[autoreg:notempl&byod99]
scope=AutoRegister
role=guest
###Autoreg Chromebook as employee (for onboarding chromebooks)###
[autoreg:notempl&chromebook]
scope=RegisteredRole
role=employee
[autoreg:chromebook¬reg]
scope=AutoRegister
role=employee
[autoreg:chromebook]
scope=NodeInfoForAutoReg
role=employee
###Catchall to force all to guest by default###
[auth:notempl&byod¬chromebook]
scope=RegisteredRole
role=guest
[auth:notempl&byod99¬chromebook]
scope=RegisteredRole
role=guest
So far so good, devices are being auto-registered if they are
machine-auth'd or if they are authenticated as user "Chromebook". 1st
problem however, is they are all being auto-registered on the DEFAULT role
of "guest", despite my rule specifying role=employee:
###Machine Auth Autoregister (for onboarding new domain-joined pc) ###
[1:WirelessEAP&machineauth¬reg]
scope = AutoRegister
role = employee
[2:WirelessEAP&machineauth]
scope = NodeInfoForAutoReg
role = employee
###Autoreg Chromebook as employee (for onboarding chromebooks)###
[autoreg:notempl&chromebook]
scope=RegisteredRole
role=employee
[autoreg:chromebook¬reg]
scope=AutoRegister
role=employee
[autoreg:chromebook]
scope=NodeInfoForAutoReg
role=employee
Which led me to the next problem when I started trying to work around this
pitfall using some update rules. If the device is auto-registered, the
following update rules will *not* take effect (although packetfence.log
does mention that the authentication request matches the update rule):
[update:chromebook]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee
[update2:WirelessEAP&machineauth¬empl]
scope=RegisteredRole
role=employee
action=modify_node
action_param=mac=$mac,category=employee
Interesting part though!! If I manually update the nodes table and remove
the auto-registration parts for this node:
mysql> update node set autoreg='no',notes='' where mac like '%0d:c1';
Query OK, 1 row affected (0.11 sec)
Rows matched: 1 Changed: 1 Warnings: 0
then re-auth the device, the rule *DOES* take effect and the record is
updated in the nodes table to have category_id 4, which is our "employee"
role.
As I mentioned, I'm running into this problem in both PF 5.4 and in the
latest and greatest 6.5. Can you guys have a look and see if you can
duplicate the issue, and if so let me know the easiest way to fix it?
Having this auto-registration working properly would ease our current
onboarding process for new devices tremendously.
Thanks,
--
Gary Stansbury
Network Engineer
Troup County Board of Education, LaGrange, GA
706-594-3928
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
