Hello Darryl,
Sorry I was not that clear, I admit it.
If you want to auto-register domain joined computers without seeing the captive
portal, configure the following:
- an AD source with Username Attribute = servicePrincipalName with a rule that
will match and give role and an unreg date
[AD]
description=Microsoft Active Directory
password=*********
scope=sub
binddn=cn=administrator,cn=users,dc=domain,dc=local
basedn=cn=users,dc=inverse,dc=local
email_attribute=mail
usernameattribute=serviceprincipalname
connection_timeout=5
stripped_user_name=yes
encryption=none
dynamic_routing_module=AuthModule
port=389
type=AD
host=10.0.0.1
[AD rule catchall]
class=authentication
match=all
action0=set_access_duration=1h
action1=set_role=default
- Configure your domain:
[mylovelyAD]
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2))))
ntlm_cache=disabled
dns_server=10.0.0.1
registration=0
ntlm_cache_expiry=3600
dns_name=domain.local
ou=Computers
bind_pass=
ntlm_cache_on_connection=disabled
bind_dn=
workgroup=inverse
ad_server=10.0.0.1
ntlm_cache_batch_one_at_a_time=disabled
ntlm_cache_batch=disabled
server_name=unicorn13
dns_servers=10.0.0.1
sticky_dc=*
- Configure the REALMs:
[DEFAULT]
domain=mylovelyAD
[NULL]
domain=mylovelyAD
- Configure a connection profile that matches the Switch,SSID,etc...
[SecureSSID]
locale=
filter=ssid:PF-Secure
description=Secure-SSID
sources=mylovelyAD
autoregister=enabled
- Keep in mind that if you edit your file by the CLI, you will need to push the
new config with:
/usr/local/pf/bin/pfcmd configreload hard
Once you have done that config restart PF:
/usr/local/pf/bin/pfcmd service pf restart
Here what should happen:
- Radius request from your equipment
- PF authenticate your computer against the AD and brings the role default
- PF return the VLAN ID for the default role on your equipment based on the
switches.conf
- VLAN applied on the connection
- DHCP in that VLAN
- Access on the network
You don't need to switch a role for each device manually, if the device match
the catchall rule you're golden!
I skipped a lot of steps but I hope it will help you.
Thanks!
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>)
and PacketFence (http://packetfence.org <http://packetfence.org/>)
> On Aug 14, 2017, at 2:22 PM, Sokolowski, Darryl <[email protected]> wrote:
>
> Hi, thanks.
> Forgive me for my questions, the concept of NAC is new to me.
> I guess I am still confused about assigning (or not assigning) the role. “you
> cannot switch a node role because it will be recomputed on every radius
> request” has me confused. What is the role being computed from? I was under
> the impression from reading, that the role could be “automatically” computed
> and assigned by using various LDAP or AD attributes. And so having it
> recomputed is a good thing, because if it finds a change in the AD, then it
> would compute it to the new role based on the AD attributes.
> From what you said here, it sounds like I would have to edit each node record
> to assign the role manually?
> Am I thinking about this the wrong way?
>
> Thanks
> Darryl
>
>
> From: Ludovic Zammit [mailto:[email protected] <mailto:[email protected]>]
> Sent: Monday, August 14, 2017 10:43 AM
> To: Sokolowski, Darryl <[email protected] <mailto:[email protected]>>
> Cc: [email protected]
> <mailto:[email protected]>
> Subject: Re: [PacketFence-users] Machine authentication not getting role
>
> Hello,
>
> If you are doing machine authentication with auto registration, you can not
> switch a node role because it will be recomputed on every radius request.
>
> You could use the bypass role if you want to drop the device into a specific
> role. You will find in Under Nodes > MAC > Bypass Role.
>
> For your AD source, if you are doing machine authentication on a microsoft
> AD, make sure that you are checking the correct LDAP attribute.
>
> Username Attribute = servicePrincipalName
>
> Thanks,
> Ludovic Zammit
> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
> www.inverse.ca <http://www.inverse.ca/>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org
> <http://packetfence.org/>)
>
>
>
> On Aug 14, 2017, at 9:10 AM, Sokolowski, Darryl <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi Ludovic. Thanks. I'm using machine authentication against active
> directory. Right now I'm trying to get a catch all rule to assign a role just
> to make sure I have that part working, so that I can ultimately assign
> different roles according to the OU that the machine account resides in.
> Right now I'm not testing for the ou, just assigning a role to test that my
> rule works.
>
> In the packetfence log I see the authentication success, but no role
> assignment.
>
> Machine auth works, as I can autoregister and I get on the management
> network, but any role I put in the authentication rule doesn't get assigned
> to the machine.
>
> Thanks
> Darryl
>
>
>
>
> -------- Original message --------
> From: Ludovic Zammit via PacketFence-users
> <[email protected]
> <mailto:[email protected]>>
> Date: 8/14/17 7:47 AM (GMT-05:00)
> To: [email protected]
> <mailto:[email protected]>
> Cc: Ludovic Zammit <[email protected] <mailto:[email protected]>>
> Subject: Re: [PacketFence-users] Machine authentication not getting role
>
> PS: /usr/local/pf/bin/pftest authentication username password
>
> You can put "" if you don't want to display the password in the CLI.
>
> Thanks,
> Ludovic Zammit
> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
> www.inverse.ca <http://www.inverse.ca/>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org
> <http://packetfence.org/>)
>
>
>
> On Aug 14, 2017, at 7:43 AM, Ludovic Zammit via PacketFence-users
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hello,
>
> Are you doing user authentication ? If yes, please check the tool
> /usr/local/pf/bin/pftest username password you will see if your username
> bring any access settings.
>
> If you check in the /usr/local/pf/logs/packetfence.log you should be able to
> see all the action taken after the radius request.
>
> Thanks,
> Ludovic Zammit
> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
> www.inverse.ca <http://www.inverse.ca/>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org
> <http://packetfence.org/>)
>
>
>
> On Aug 11, 2017, at 4:13 PM, Sokolowski, Darryl via PacketFence-users
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi everyone,
> Can anyone help me with this please?
> I have the machine authentication source looking at active directory, and a
> rule to assign role and access duration.
> I am able to automatically register the device via machine authentication,
> but I can’t get the role assigned when it registers.
> On the switch I see
> %AUTHMGR-5-START: Starting 'dot1x' for client
> %DOT1X-5-SUCCESS: Authentication successful for client
> %AUTHMGR-5-SUCCESS: Authorization succeeded for client
>
> But the role is not sent.
>
> Raddebug shows the correct realm is identified and used, and the machine
> authentication source is defined in the realm.
>
> In the nodes in packetfence, I see the node is registered with the owner as
> the machine name but no role is assigned.
>
> I don’t know what I’m missing.
>
> Thanks
> Darryl
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org <http://slashdot.org/>!
> http://sdm.link/slashdot_______________________________________________
> <http://sdm.link/slashdot_______________________________________________>
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org <http://slashdot.org/>!
> http://sdm.link/slashdot_______________________________________________
> <http://sdm.link/slashdot_______________________________________________>
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
>
>
>
> >>> CONFIDENTIALITY NOTICE <<<
>
> This electronic mail (e-mail) message, including any and/or all attachments,
> is for the sole use of the intended recipient(s), and may contain
> confidential and/or privileged information, pertaining to business conducted
> under the direction and supervision of EarthColor, Inc. All e-mail messages,
> which may have been established as expressed views and/or opinions (stated
> either within the e-mail message or any of its attachments), are left to the
> sole responsibility of that of the sender, and are not necessarily attributed
> to EarthColor, Inc. Unauthorized interception, review, use, disclosure or
> distribution of any such information contained within this e-mail message
> and/or its attachment(s), is(are) strictly prohibited. If you are not the
> intended recipient, please contact the sender by replying to this e-mail
> message, along with the destruction of all copies of the original e-mail
> message (along with any attachments).
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
