Hi, thanks.
Forgive me for my questions, the concept of NAC is new to me.
I guess I am still confused about assigning (or not assigning) the role. “you
cannot switch a node role because it will be recomputed on every radius
request” has me confused. What is the role being computed from? I was under the
impression from reading, that the role could be “automatically” computed and
assigned by using various LDAP or AD attributes. And so having it recomputed is
a good thing, because if it finds a change in the AD, then it would compute it
to the new role based on the AD attributes.
From what you said here, it sounds like I would have to edit each node record
to assign the role manually?
Am I thinking about this the wrong way?
Thanks
Darryl
From: Ludovic Zammit [mailto:[email protected]]
Sent: Monday, August 14, 2017 10:43 AM
To: Sokolowski, Darryl <[email protected]>
Cc: [email protected]
Subject: Re: [PacketFence-users] Machine authentication not getting role
Hello,
If you are doing machine authentication with auto registration, you can not
switch a node role because it will be recomputed on every radius request.
You could use the bypass role if you want to drop the device into a specific
role. You will find in Under Nodes > MAC > Bypass Role.
For your AD source, if you are doing machine authentication on a microsoft AD,
make sure that you are checking the correct LDAP attribute.
Username Attribute = servicePrincipalName
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Aug 14, 2017, at 9:10 AM, Sokolowski, Darryl
<[email protected]<mailto:[email protected]>> wrote:
Hi Ludovic. Thanks. I'm using machine authentication against active directory.
Right now I'm trying to get a catch all rule to assign a role just to make sure
I have that part working, so that I can ultimately assign different roles
according to the OU that the machine account resides in. Right now I'm not
testing for the ou, just assigning a role to test that my rule works.
In the packetfence log I see the authentication success, but no role assignment.
Machine auth works, as I can autoregister and I get on the management network,
but any role I put in the authentication rule doesn't get assigned to the
machine.
Thanks
Darryl
-------- Original message --------
From: Ludovic Zammit via PacketFence-users
<[email protected]<mailto:[email protected]>>
Date: 8/14/17 7:47 AM (GMT-05:00)
To:
[email protected]<mailto:[email protected]>
Cc: Ludovic Zammit <[email protected]<mailto:[email protected]>>
Subject: Re: [PacketFence-users] Machine authentication not getting role
PS: /usr/local/pf/bin/pftest authentication username password
You can put "" if you don't want to display the password in the CLI.
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>)
and PacketFence (http://packetfence.org<http://packetfence.org/>)
On Aug 14, 2017, at 7:43 AM, Ludovic Zammit via PacketFence-users
<[email protected]<mailto:[email protected]>>
wrote:
Hello,
Are you doing user authentication ? If yes, please check the tool
/usr/local/pf/bin/pftest username password you will see if your username bring
any access settings.
If you check in the /usr/local/pf/logs/packetfence.log you should be able to
see all the action taken after the radius request.
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>)
and PacketFence (http://packetfence.org<http://packetfence.org/>)
On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users
<[email protected]<mailto:[email protected]>>
wrote:
Hi everyone,
Can anyone help me with this please?
I have the machine authentication source looking at active directory, and a
rule to assign role and access duration.
I am able to automatically register the device via machine authentication, but
I can’t get the role assigned when it registers.
On the switch I see
%AUTHMGR-5-START: Starting 'dot1x' for client
%DOT1X-5-SUCCESS: Authentication successful for client
%AUTHMGR-5-SUCCESS: Authorization succeeded for client
But the role is not sent.
Raddebug shows the correct realm is identified and used, and the machine
authentication source is defined in the realm.
In the nodes in packetfence, I see the node is registered with the owner as the
machine name but no role is assigned.
I don’t know what I’m missing.
Thanks
Darryl
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
________________________________
>>> CONFIDENTIALITY NOTICE <<<
This electronic mail (e-mail) message, including any and/or all attachments, is
for the sole use of the intended recipient(s), and may contain confidential
and/or privileged information, pertaining to business conducted under the
direction and supervision of EarthColor, Inc. All e-mail messages, which may
have been established as expressed views and/or opinions (stated either within
the e-mail message or any of its attachments), are left to the sole
responsibility of that of the sender, and are not necessarily attributed to
EarthColor, Inc. Unauthorized interception, review, use, disclosure or
distribution of any such information contained within this e-mail message
and/or its attachment(s), is(are) strictly prohibited. If you are not the
intended recipient, please contact the sender by replying to this e-mail
message, along with the destruction of all copies of the original e-mail
message (along with any attachments).
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
