Hello,
The rule order is very important under your source, the first that match will
apply the access.
Make sure that the admin rule is above all even above the computer auth rule.
You can test if your users matches correctly the rule with:
/usr/local/pf/bin/pftest authentication username ""
Or one thing you could do, you could use vlan_filters configuration to achieve
that also. conf/vlan_filters.conf
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>)
and PacketFence (http://packetfence.org <http://packetfence.org/>)
> Le 2 mars 2017 à 05:38, Jes Kasper Klittum <[email protected]> a écrit :
>
> Hi people,
>
> I am at my wits end. I simply cannot wrap my head around how to set up the
> following:
>
> Domain computers: autoregister role machine-auth VLAN 10
> Domain users (except for admins in same OU) autoregister role user-auth :
> VLAN 10
> Admin users (members of AD group “Company IT”) autoregister role Management:
> VLAN 100
>
> However, I am not for my life, able to get an Admin user to switch to VLAN
> 100 when he logs into a VLAN 10 domain computer. No matter what I do, he is
> put into VLAN 10, as he matches the AD-Users source. Can someone tell me how
> I achieve switching VLAN to 100 when an admin logs in to a domain computer,
> and back to 10 when someone whi is not an admin logs in to the same computer?
>
> What I have done, is create:
>
> Domain: CompanyDomain
>
> Realm:
> COMPANY
> Realm Options: strip
> Domain: CompanyDomain
> Source: AD-Users
>
> Realm:
> COMPANY.COM <http://company.com/>
> Realm Options: strip
> Domain: CompanyDomain
> Source: AD-Computers
>
> Internal Sources:
>
> AD-Users:
> Base DN: OU=Users,OU=Location,DC=CompanyDomain,DC=com
> Username Attribute: sAMAccountName
> Use stripped username: yes
> Rules:
> Conditions: none
> Role: User-auth
> Unreg date: future
>
>
> AD-Admins:
> Base DN: OU=Users,DC=CompanyDomain,DC=com
> Username Attribute: sAMAccountName
> Use stripped username: yes
> Rules:
> Conditions: memberof, is member of, CN=Company
> IT,OU=Groups,OU=Location,DC=CompanyDomain,DC=com
> Role: Management
> Unreg date: future
>
>
> AD-Computers:
> OU=Location,DC=CompanyDomain,DC=com
> Scope: Subtree
> Username Attribute: servicePrincipalName
> Conditions: none
> Role: Machine-auth
> Unreg date: future
>
> Role User-Auth and Machine-auth are mapped to VLAN 10 on switches, Management
> role is mapped to VLAN 100.
>
> I have set up only one portal profile, containing all sources:
>
> Activate preregistration: disabled
> Automatically register devices: enabled
> Resuse dot1x credentials: enabled
> Dot1x recompute role from portal: enabled
>
> Filters:
> If any condition math
> Connection type=Ethernet-EAP
> Connection type=Wireless-802.11-EAP
>
> Sources:
> AD-Admins
> AD-Users
> AD-Computers
>
> Provisioners:
> EAPTLS
>
>
> Med venlig hilsen / Best regards,
> BISCA A/S
>
> Jes Kasper Klittum
> Head of IT
>
> Ahornvej 1,
> DK-4780 Stege
> <image001.jpg> +45 3162 3495
> <image002.png> +45 7211 0495
> [email protected] <mailto:[email protected]>
>
> <image003.png>www.bisca.com <x-msg://111/www.bisca.com>
>
> <image004.png>
>
> P Please consider the environment before printing this e-mail.
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org <http://slashdot.org/>!
> http://sdm.link/slashdot_______________________________________________
> <http://sdm.link/slashdot_______________________________________________>
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
