I think I've got it working but I haven’t tested it very thoroughly so I may be
mistaken. I think there's still something I'm doing wrong.
I'm using a regex match on the distinguished name still. I started testing it
with group membership as I thought using the distinguished name might have been
the issue but it still didn't work so I don't think that's the case.
If I test it, I create a user account and have the Username Attribute in the
authentication source set to sAMAccountName. This seems to work fine:
Aug 13 10:01:50 pftest(18774) INFO: [Test] Authentication successful for jtest1
(pf::Authentication::Source::LDAPSource::authenticate)
Aug 13 10:01:50 pftest(18774) INFO: Using sources Test for matching
(pf::authentication::match)
Aug 13 10:01:50 pftest(18774) INFO: Matched rule (Youth) in source Test,
returning actions. (pf::Authentication::Source::match)
Aug 13 10:01:50 pftest(18774) INFO: Using sources Test for matching
(pf::authentication::match)
The following may require more testing to confirm it's all correct and the
results are consistently reproducible:
When I switch to using machine authentication, I can't test using pftest with
the correct password and I'm kind of guessing what to put in the username field
for testing. When I have the Username Attribute set to servicePrincipalName
and I test with 'host/' followed by the fqdn of the host, for example
'host/IT-L-HP250.asd.local' this works. But when I try this by connecting to
the wireless network packetfence doesn't match my rule. (I was testing on
Saturday so I'm not sure exactly which section of the log to pick out so I
might need to try this again to get more informaiton.)
So I looked in active directory at the attributes and servicePrincipalName is a
multi-value field so I didn't know if this was causing an issue?
So I changed the Username Attribute to 'name' (although I'm also not sure what
the issue with sAMAccountName is.) Now the previous test with pftest fails so
I switched to using simply the hostname 'IT-L-HP250' which again matches the
rule but fails the authentication due to now knowing the password. However in
this configuration when I tried connecting to the wireless it worked but I got
the same errors in the log. This is the log of a successful authentication and
matching the rule
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] handling radius
autz request: from switch_ip => (10.16.20.102), connection_type =>
Wireless-802.11-EAP,switch_mac => (e8:39:35:65:87:56), mac =>
[80:56:f2:15:b8:a9], port => 88, username => "host/IT-L-HP250.asd.local", ssid
=> test (pf::radius::authorize)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] is doing machine
auth with account 'host/IT-L-HP250.asd.local'. (pf::radius::authorize)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Instantiate
profile 802.1x (pf::Portal::ProfileFactory::_from_profile)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Memory
configuration is not valid anymore for key resource::authentication_sources in
local cached_hash (pfconfig::cached::is_valid)
Aug 11 11:48:56 httpd.aaa(12652) WARN: [mac:80:56:f2:15:b8:a9] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources
Test for matching (pf::authentication::match)
Aug 11 11:48:56 httpd.aaa(12652) ERROR: [mac:80:56:f2:15:b8:a9] Error binding
'Connection reset by peer' (pf::LDAP::bind)
Aug 11 11:48:56 httpd.aaa(12652) WARN: [mac:80:56:f2:15:b8:a9] LDAP connection
expired (pf::LDAP::expire_if)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule
(Internal) in source Test, returning actions.
(pf::Authentication::Source::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources
Test for matching (pf::authentication::match)
Aug 11 11:48:56 httpd.aaa(12652) ERROR: [mac:80:56:f2:15:b8:a9] Error binding
'Connection reset by peer' (pf::LDAP::bind)
Aug 11 11:48:56 httpd.aaa(12652) WARN: [mac:80:56:f2:15:b8:a9] LDAP connection
expired (pf::LDAP::expire_if)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule
(Internal) in source Test, returning actions.
(pf::Authentication::Source::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] violation
1300003 force-closed for 80:56:f2:15:b8:a9
(pf::violation::violation_force_close)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Instantiate
profile 802.1x (pf::Portal::ProfileFactory::_from_profile)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources
Test for matching (pf::authentication::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule
(Internal) in source Test, returning actions.
(pf::Authentication::Source::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources
Test for matching (pf::authentication::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule
(Internal) in source Test, returning actions.
(pf::Authentication::Source::match)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Username was
defined "host/IT-L-HP250.asd.local" - returning role 'RUFCInternal'
(pf::role::getRegisteredRole)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] PID:
"host/IT-L-HP250.asd.local", Status: reg Returned VLAN: (undefined), Role:
RUFCInternal (pf::role::fetchRoleForNode)
Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] (10.16.20.102)
Added VLAN 15 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Aug 11 11:48:57 httpd.aaa(12652) INFO: [mac:b8:03:05:a8:92:e7] Updating
locationlog from accounting request (pf::api::handle_accounting_metadata)
Now the "Error binding 'Connection reset by peer' (pf::LDAP::bind)" seem fairly
critical, but it still seems to be working.
I've got "Use stripped username" ticked and I'm now wondering if this might be
the issue? I did lots of testing changing the "Base DN" and "Scope" fields
along with the rule criteria. I can't say I got consistent results. Sometimes
it seemed to work, and sometimes not, but this may have been because I was
making other mistakes.
I've attached sanitised versions of profiles.conf and authentication.conf
Thanks
-----Original Message-----
From: Durand fabrice via PacketFence-users
[mailto:[email protected]]
Sent: 11 August 2018 02:52
To: [email protected]
Cc: Durand fabrice <[email protected]>
Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN & Certificates.....
Hello John,
in the packetfence.log file you will be able to see which source the username
match.
Also you can use pftest authentication bob "" to test the rules.
If you want you can send me the authentication.conf (remove confidential data),
profiles.conf file and i will probably what is the issue.
Regards
Fabrice
Le 2018-08-09 à 08:16, John Sayce via PacketFence-users a écrit :
> Sorry, I realised it's not setting the role because I was using the attribute
> sAMAccountName rather than servicePrincipalName.
>
> However I'm still not quite sure how to apply two different roles as
> discussed in Section 8. I've added both sources with different roles to my
> profile but it appears to authenticate with the first source ignoring the
> Base DN.
>
>
>
> -----Original Message-----
> From: John Sayce via PacketFence-users
> [mailto:[email protected]]
> Sent: 09 August 2018 08:02
> To: '[email protected]'
> <[email protected]>
> Cc: John Sayce <[email protected]>
> Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN &
> Certificates.....
>
> Got the certificate sorted, that was pretty straight forward when I actually
> follow things though.
>
> I am still having issues with role assignment. At the moment I've only got
> one role and one authentication source with a rule to apply a role without
> any conditions in my authentication source, but the role doesn't apply. I'm
> not really sure how to debug things though?
>
> I followed section 5.5 to create a connection profile
> https://packetfence.org/doc/PacketFence_Installation_Guide.html#_confi
> guring_the_connection_profile
>
> Ideally I'd like to do something like section 8,
> https://packetfence.org/doc/PacketFence_Installation_Guide.html#_intro
> duction_to_role_based_access_control
> Such that there are two authentication sources with different "Base DN" and
> this leads to the application of two different roles.
>
> John
>
> -----Original Message-----
> From: Durand fabrice via PacketFence-users
> [mailto:[email protected]]
> Sent: 04 August 2018 02:19
> To: [email protected]
> Cc: Durand fabrice <[email protected]>
> Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN &
> Certificates.....
>
> Hello John,
>
>
> Le 2018-08-03 à 11:18, John Sayce via PacketFence-users a écrit :
>> Hi,
>>
>> I’ve setup 802.1x for my wireless. I initially started using NPS but it
>> didn't have the flexibility I wanted for dynamic VLAN assignment. So I've
>> setup packetfence and my clients can authenticate but they're not getting
>> assigned the roles I'd like, to then go in the appropriate VLAN.
>>
>> Specifically I want to assign roles based on organisational unit. Am I
>> correct, that the (best) way to do this is to create an active directory
>> source for each role with a rule that then checks the distinguished name to
>> get the organisational unit with the action to assign the appropriate role?
>> As I say, at the moment this doesn't appear to work, but I haven't tried to
>> debug it yet, so I might have made a silly mistake somewhere.
> As i remember a dn cannot be use for a ldapsearch
> (https://www.openldap.org/lists/openldap-software/200503/msg00520.html
> )
> but maybe i am wrong.
> The better way to test it will be to configure a rule like distingishName
> regex ou=blablabla and use pftest to see if the rule match.
> Btw i prefer to use groupMembership for that.
>> Initially I setup the client to skip verification of the server's
>> certificate to see the radius requests coming in. Later I re-enabled the
>> verification and added the certificates to the trusted root store but
>> received an error about a valid trust anchor for this profile. I believe I
>> can override this by specifying the specific certificate in group policy but
>> I didn't really understand the error message. Ultimately I have a Microsoft
>> PKI setup so I'd like to assign a certificate from this. The manual says I
>> then edit the "/usr/local/pf/conf/radiusd/eap.conf" and point the relevant
>> settings at the certificates files approved by my Microsoft PKI. Is that
>> sufficient? And will I still get the error about a valid trust anchor? I
>> don't believe I encountered that issue with NPS.
> NPS know the microsoft pki, so by default i think there is already a
> certificate for it.
> So you will need to generate a certificate on the pki for the radius server
> (https://github.com/inverse-inc/packetfence/blob/devel/docs/pki/microsoft.asciidoc#radius-certificate-generation).
>
> With that you will probably don't have anymore the vlaid trust anchor with
> the device joined to the domain but you will still have it for the rest (you
> need to install the CA public key on each devices).
> Regards
> Fabrice
>
>> Thanks
>> John
>> ---------------------------------------------------------------------
>> -
>> -------- Check out the vibrant tech community on one of the world's
>> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ----------------------------------------------------------------------
> -------- Check out the vibrant tech community on one of the world's
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> ----------------------------------------------------------------------
> -------- Check out the vibrant tech community on one of the world's
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> ----------------------------------------------------------------------
> -------- Check out the vibrant tech community on one of the world's
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech
sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
#
# Copyright (C) 2005-2017 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[802.1x]
filter=connection_type:Wireless-802.11-EAP,connection_type:Wireless-802.11-NoEAP
sources=Test
autoregister=enabled
locale=
access_registration_when_registered=disabled
reuse_dot1x_credentials=enabled
root_module=test
#
# Copyright (C) 2005-2017 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[Test]
description=Test
dynamic_routing_module=AuthModule
port=389
scope=sub
stripped_user_name=no
basedn=DC=asd,DC=local
binddn=********
email_attribute=mail
password=********
usernameattribute=servicePrincipalName
connection_timeout=10
type=AD
encryption=none
host=10.16.2.2
[Test rule Youth]
description=Youth
class=authentication
match=any
action0=Set_role=RUFCYouth
action1=set_access_duration=5D
condition0=distinguishedName,matches regexp,OU=*********
[Test rule Internal]
description=
class=authentication
match=any
action0=set_role=RUFCInternal
action1=set_access_duration=12h
condition0=distinguishedName,matches regexp,OU=*******
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
