Sorry, I realised it's not setting the role because I was using the attribute sAMAccountName rather than servicePrincipalName.
However I'm still not quite sure how to apply two different roles as discussed in Section 8. I've added both sources with different roles to my profile but it appears to authenticate with the first source ignoring the Base DN. -----Original Message----- From: John Sayce via PacketFence-users [mailto:[email protected]] Sent: 09 August 2018 08:02 To: '[email protected]' <[email protected]> Cc: John Sayce <[email protected]> Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN & Certificates..... Got the certificate sorted, that was pretty straight forward when I actually follow things though. I am still having issues with role assignment. At the moment I've only got one role and one authentication source with a rule to apply a role without any conditions in my authentication source, but the role doesn't apply. I'm not really sure how to debug things though? I followed section 5.5 to create a connection profile https://packetfence.org/doc/PacketFence_Installation_Guide.html#_configuring_the_connection_profile Ideally I'd like to do something like section 8, https://packetfence.org/doc/PacketFence_Installation_Guide.html#_introduction_to_role_based_access_control Such that there are two authentication sources with different "Base DN" and this leads to the application of two different roles. John -----Original Message----- From: Durand fabrice via PacketFence-users [mailto:[email protected]] Sent: 04 August 2018 02:19 To: [email protected] Cc: Durand fabrice <[email protected]> Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN & Certificates..... Hello John, Le 2018-08-03 à 11:18, John Sayce via PacketFence-users a écrit : > Hi, > > I’ve setup 802.1x for my wireless. I initially started using NPS but it > didn't have the flexibility I wanted for dynamic VLAN assignment. So I've > setup packetfence and my clients can authenticate but they're not getting > assigned the roles I'd like, to then go in the appropriate VLAN. > > Specifically I want to assign roles based on organisational unit. Am I > correct, that the (best) way to do this is to create an active directory > source for each role with a rule that then checks the distinguished name to > get the organisational unit with the action to assign the appropriate role? > As I say, at the moment this doesn't appear to work, but I haven't tried to > debug it yet, so I might have made a silly mistake somewhere. As i remember a dn cannot be use for a ldapsearch (https://www.openldap.org/lists/openldap-software/200503/msg00520.html) but maybe i am wrong. The better way to test it will be to configure a rule like distingishName regex ou=blablabla and use pftest to see if the rule match. Btw i prefer to use groupMembership for that. > Initially I setup the client to skip verification of the server's certificate > to see the radius requests coming in. Later I re-enabled the verification > and added the certificates to the trusted root store but received an error > about a valid trust anchor for this profile. I believe I can override this > by specifying the specific certificate in group policy but I didn't really > understand the error message. Ultimately I have a Microsoft PKI setup so I'd > like to assign a certificate from this. The manual says I then edit the > "/usr/local/pf/conf/radiusd/eap.conf" and point the relevant settings at the > certificates files approved by my Microsoft PKI. Is that sufficient? And > will I still get the error about a valid trust anchor? I don't believe I > encountered that issue with NPS. NPS know the microsoft pki, so by default i think there is already a certificate for it. So you will need to generate a certificate on the pki for the radius server (https://github.com/inverse-inc/packetfence/blob/devel/docs/pki/microsoft.asciidoc#radius-certificate-generation). With that you will probably don't have anymore the vlaid trust anchor with the device joined to the domain but you will still have it for the rest (you need to install the CA public key on each devices). Regards Fabrice > > Thanks > John > ---------------------------------------------------------------------- > -------- Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
