Hi people,
I am at my wits end. I simply cannot wrap my head around how to set up the
following:
Domain computers: autoregister role machine-auth VLAN 10
Domain users (except for admins in same OU) autoregister role user-auth : VLAN
10
Admin users (members of AD group "Company IT") autoregister role Management:
VLAN 100
However, I am not for my life, able to get an Admin user to switch to VLAN 100
when he logs into a VLAN 10 domain computer. No matter what I do, he is put
into VLAN 10, as he matches the AD-Users source. Can someone tell me how I
achieve switching VLAN to 100 when an admin logs in to a domain computer, and
back to 10 when someone whi is not an admin logs in to the same computer?
What I have done, is create:
Domain: CompanyDomain
Realm:
COMPANY
Realm Options: strip
Domain: CompanyDomain
Source: AD-Users
Realm:
COMPANY.COM
Realm Options: strip
Domain: CompanyDomain
Source: AD-Computers
Internal Sources:
AD-Users:
Base DN: OU=Users,OU=Location,DC=CompanyDomain,DC=com
Username Attribute: sAMAccountName
Use stripped username: yes
Rules:
Conditions: none
Role: User-auth
Unreg date: future
AD-Admins:
Base DN: OU=Users,DC=CompanyDomain,DC=com
Username Attribute: sAMAccountName
Use stripped username: yes
Rules:
Conditions: memberof, is member of, CN=Company
IT,OU=Groups,OU=Location,DC=CompanyDomain,DC=com
Role: Management
Unreg date: future
AD-Computers:
OU=Location,DC=CompanyDomain,DC=com
Scope: Subtree
Username Attribute: servicePrincipalName
Conditions: none
Role: Machine-auth
Unreg date: future
Role User-Auth and Machine-auth are mapped to VLAN 10 on switches, Management
role is mapped to VLAN 100.
I have set up only one portal profile, containing all sources:
Activate preregistration: disabled
Automatically register devices: enabled
Resuse dot1x credentials: enabled
Dot1x recompute role from portal: enabled
Filters:
If any condition math
Connection type=Ethernet-EAP
Connection type=Wireless-802.11-EAP
Sources:
AD-Admins
AD-Users
AD-Computers
Provisioners:
EAPTLS
Med venlig hilsen / Best regards,
BISCA A/S
Jes Kasper Klittum
Head of IT
Ahornvej 1,
DK-4780 Stege
[Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse:
Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse:
cid:[email protected]] +45 3162 3495
[Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse:
cid:[email protected]] +45 7211 0495
[email protected]<mailto:[email protected]>
[Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse:
Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse: Beskrivelse:
cid:[email protected]]www.bisca.com
[Logo (002)]
P Please consider the environment before printing this e-mail.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
