Hi Lodovic,
I have just made sure the rules are in order, with the admin/user/computer
order.
However, something very strange seems to be happening. It appears to be
behaving in a very random manner.
I noticed, in packetfence.log, that my domain computer was registering as
WIRED_MAC_AUTH and hitting the default profile, which had no sources. I then
added the computer source to the default profile and checked Reuse dot1x
credentials and Dot1x recompute role from portal and now my domain computers
started being registered as host/computername in the log and using EAP. Then
all of a sudden it worked loggin in as one user and getting the 100 VLAN and
logging out, and the computer getting the default LAN again. Then I worked on
something else for a while, and wanted to test the same computer again – now
all of a sudden the mashine registers as WIRED_MAC_AUTH and the username like
8c89a527602e and nothing works.
Autoreg also stopped working.
I don’t understand why the domain computer ends up on the default profile.
I have not changed anything, so it is like PF is just chosing at random if it
sees EAP or MAC….
The switch is a HP (H3C) 1920
I have been working on this for weeks… ☹
Jes
Fra: Ludovic Zammit [mailto:[email protected]]
Sendt: 2. marts 2017 15:16
Til: [email protected]
Emne: Re: [PacketFence-users] How: Assign/Reassign VLAN based on AD group
membership or lack of membership?
Hello,
The rule order is very important under your source, the first that match will
apply the access.
Make sure that the admin rule is above all even above the computer auth rule.
You can test if your users matches correctly the rule with:
/usr/local/pf/bin/pftest authentication username ""
Or one thing you could do, you could use vlan_filters configuration to achieve
that also. conf/vlan_filters.conf
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
Le 2 mars 2017 à 05:38, Jes Kasper Klittum
<[email protected]<mailto:[email protected]>> a écrit :
Hi people,
I am at my wits end. I simply cannot wrap my head around how to set up the
following:
Domain computers: autoregister role machine-auth VLAN 10
Domain users (except for admins in same OU) autoregister role user-auth : VLAN
10
Admin users (members of AD group “Company IT”) autoregister role Management:
VLAN 100
However, I am not for my life, able to get an Admin user to switch to VLAN 100
when he logs into a VLAN 10 domain computer. No matter what I do, he is put
into VLAN 10, as he matches the AD-Users source. Can someone tell me how I
achieve switching VLAN to 100 when an admin logs in to a domain computer, and
back to 10 when someone whi is not an admin logs in to the same computer?
What I have done, is create:
Domain: CompanyDomain
Realm:
COMPANY
Realm Options: strip
Domain: CompanyDomain
Source: AD-Users
Realm:
COMPANY.COM<http://company.com/>
Realm Options: strip
Domain: CompanyDomain
Source: AD-Computers
Internal Sources:
AD-Users:
Base DN: OU=Users,OU=Location,DC=CompanyDomain,DC=com
Username Attribute: sAMAccountName
Use stripped username: yes
Rules:
Conditions: none
Role: User-auth
Unreg date: future
AD-Admins:
Base DN: OU=Users,DC=CompanyDomain,DC=com
Username Attribute: sAMAccountName
Use stripped username: yes
Rules:
Conditions: memberof, is member of, CN=Company
IT,OU=Groups,OU=Location,DC=CompanyDomain,DC=com
Role: Management
Unreg date: future
AD-Computers:
OU=Location,DC=CompanyDomain,DC=com
Scope: Subtree
Username Attribute: servicePrincipalName
Conditions: none
Role: Machine-auth
Unreg date: future
Role User-Auth and Machine-auth are mapped to VLAN 10 on switches, Management
role is mapped to VLAN 100.
I have set up only one portal profile, containing all sources:
Activate preregistration: disabled
Automatically register devices: enabled
Resuse dot1x credentials: enabled
Dot1x recompute role from portal: enabled
Filters:
If any condition math
Connection type=Ethernet-EAP
Connection type=Wireless-802.11-EAP
Sources:
AD-Admins
AD-Users
AD-Computers
Provisioners:
EAPTLS
Med venlig hilsen / Best regards,
BISCA A/S
Jes Kasper Klittum
Head of IT
Ahornvej 1,
DK-4780 Stege
<image001.jpg> +45 3162 3495
<image002.png> +45 7211 0495
[email protected]<mailto:[email protected]>
<image003.png>www.bisca.com<x-msg://111/www.bisca.com>
<image004.png>
P Please consider the environment before printing this e-mail.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://slashdot.org/>!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
