Hi Jason,
Sorry for the delay. We've been busy with the latest release here...
I think the issue below is that you have enabled autoregistration on the
default profile.
So your WIRED_MAC_AUTH devices are autoregistered, but since they don't provide
a username (as they would if it were 802.1x) then PF has no way to assign them
a role.
The solution is to create a profile that match MAC authentication and disable
autoregistration on it.
The devices will then be forced to register, i.e. they'll be placed behind the
captive portal.
Hope this helps,
--
Louis Munro
[email protected] <mailto:[email protected]> :: www.inverse.ca
<http://www.inverse.ca/>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and
PacketFence (www.packetfence.org <http://www.packetfence.org/>)
> On Jul 7, 2017, at 12:32, Jason 'XenoPhage' Frisvold <[email protected]>
> wrote:
>
> On 7/6/17 17:01, Louis Munro wrote:
>> Hi Jason,
>> At first glance, the logs below seem to indicate something is wrong when
>> it comes to assigning a role to the device.
>>
>> Can we see your authentication.conf, profiles.conf and switches.conf at
>> the very least?
>> It's hard to say what goes wrong without knowing what role should be
>> assigned.
>
> Sure. See below :
>
> authentication.conf :
> ---------------------
>
> [local]
> description=Local Users
> dynamic_routing_module=AuthModule
> type=SQL
>
> [file1]
> description=Legacy Source
> stripped_user_name=yes
> path=/usr/local/pf/conf/admin.conf
> dynamic_routing_module=AuthModule
> type=Htpasswd
>
> [file1 rule admins]
> description=All admins
> class=administration
> match=all
> action0=set_access_level=ALL
>
> [sms]
> description=SMS-based registration
> sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100122
> dynamic_routing_module=AuthModule
> type=SMS
> create_local_account=no
>
> [sms rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
>
> [email]
> description=Email-based registration
> dynamic_routing_module=AuthModule
> email_activation_timeout=10m
> type=Email
> create_local_account=no
> allow_localdomain=yes
>
> [email rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
>
> [sponsor]
> description=Sponsor-based registration
> dynamic_routing_module=AuthModule
> type=SponsorEmail
> create_local_account=no
> allow_localdomain=yes
>
> [sponsor rule catchall]
> description=
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
>
> [null]
> description=Null Source
> dynamic_routing_module=AuthModule
> type=Null
> email_required=no
>
> [null rule catchall]
> description=catchall
> class=authentication
> match=all
> action0=set_role=guest
> action1=set_access_duration=1D
>
>
>
> profiles.conf :
> ---------------
>
> [default]
> description=Default Profile
> logo=/common/packetfence-white.png
> redirecturl=http://www.packetfence.org/
> always_use_redirecturl=disabled
> locale=en_US
> nbregpages=0
> filter_match_style=any
> block_interval=10m
> sms_pin_retry_limit=0
> sms_request_limit=0
> login_attempt_limit=0
> root_module=default_policy
> billing_tiers=
> dot1x_recompute_role_from_portal=enabled
> preregistration=disabled
> autoregister=enabled
> scans=
> reuse_dot1x_credentials=0
> sources=
> provisioners=
>
>
> switches.conf :
> ---------------
>
> #
> # Copyright (C) 2005-2015 Inverse inc.
> #
> # See the enclosed file COPYING for license information (GPL).
> # If you did not receive this file, see
> # http://www.fsf.org/licensing/licenses/gpl.html
> [default]
> RoleMap=Y
>
> [10.10.10.50]
> description=sw50.example.com
> group=OfficeHubs
>
> [10.10.10.51]
> description=sw51.example.com
> group=OfficeHubs
>
> [10.10.10.52]
> description=sw52.example.com
> group=OfficeHubs
>
> [10.10.10.53]
> description=sw53.example.com
> group=OfficeHubs
>
> [10.10.10.54]
> description=sw55.example.com
> group=OfficeHubs
>
> [10.10.10.55]
> description=sw55.example.com
> group=OfficeHubs
>
> [10.10.10.56]
> description=sw56.example.com
> group=OfficeHubs
>
> [10.10.10.57]
> description=sw57.example.com
> group=OfficeHubs
>
> [10.10.10.58]
> description=sw58.example.com
> group=OfficeHubs
>
> [10.10.10.59]
> description=sw59.example.com
> group=OfficeHubs
>
> [group OfficeHubs]
> VoIPCDPDetect=Y
> VoIPDHCPDetect=Y
> AccessListMap=N
> description=Office Switches (2960-CX)
> VoIPEnabled=Y
> UrlMap=N
> useCoA=Y
> deauthMethod=RADIUS
> type=Cisco::Catalyst_2960
> VoIPLLDPDetect=Y
> PRESENTATIONVlan=1300
> EMPLOYEEVlan=1100
> registrationVlan=4000
> PRINTERVlan=1200
> isolationVlan=2000
> voiceVlan=1500
> mode=production
> guestVlan=1000
> radiusSecret=abc123
> RoleMap=N
> defaultVlan=4000
> macDetectionVlan=4000
>
>
> --
> ---------------------------
> Jason 'XenoPhage' Frisvold
> [email protected]
> ---------------------------
>
> “Space,” it says, “is big. Really big. You just won’t believe how
> vastly, hugely, mindbogglingly big it is. I mean, you may think it’s
> a long way down the road to the chemist’s, but that’s just peanuts to
> space.”
> - The Hitchhikers Guide to the Galaxy
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
