Hello Fabrice, Sorry for the delay.
We are using an external captive portal (Aerohive) that authenticates using PacketFence. PacketFence is configured with a radius proxy in /usr/local/pf/raddb/proxy.conf that forwards to our radius servers for authorization. Then we use the LDAP authentication source to auto-register the device. I have attached: authentication.conf profiles.conf proxy.conf Thank you, Benjamin Brenek BAYADA Home Health Care | Intern, Support (NES) 4300 Haddonfield Road | Pennsuaken, NJ 08109 O: 856-380-3008 | Ext: 0527-13 | bayada.com -----Original Message----- From: Durand fabrice <[email protected]> Sent: Friday, January 11, 2019 6:49 PM To: Brenek, Benjamin <[email protected]>; [email protected] Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope are not followed. CAUTION: This email originated from outside of BAYADA. Beware of links and attachments. Hello Benjamin, just one thing to be sure to understand correctly, do you authenticate on the portal or is it autoreg via radius ? Can you send me the authentication.conf and profiles.conf file ? Thanks Regards Fabrice Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit : > Hi Fabrice, > > I did as requested and ran a capture for ldap traffic between PacketFence and > the ldap source. The BaseDN is correct (ou=Company > Users,dc=subdomain,dc=domain,dc=com) and the scope was correct (subtree => > wholeSubtree). It also appears that all searchRequests return 0 results, > which makes it seem like PacketFence is doing something even though it > shouldn't. > > Thank you, > > Benjamin Brenek > BAYADA Home Health Care | Intern, Support (NES) > 4300 Haddonfield Road | Pennsuaken, NJ 08109 > O: 856-380-3008 | Ext: 0527-13 | bayada.com > > -----Original Message----- > From: Durand fabrice via PacketFence-users > <[email protected]> > Sent: Thursday, January 10, 2019 6:30 PM > To: [email protected] > Cc: Durand fabrice <[email protected]> > Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope > are not followed. > > CAUTION: This email originated from outside of BAYADA. Beware of links and > attachments. > > > Hello Benjamin, > > what you can do is to capture the ldap traffic between PacketFence and the > ldap source and see with wireshark if the scope/base dn is what you set in > the authentication source. > > In the code it does a search for the dn of the user and try to bind with this > dn. > > So if the user is not in or under the basedn then the search should not > return anything and the authentication should fail. > > So take the capture and see what happen exactly. > > Regards > > Fabrice > > > > Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit : >> Hi Nicolas, >> >> Our authentication rules under the LDAP sources do not check LDAP >> attributes, as expected/assumed functionality of the LDAP Source would be to >> restrict authorization to the specified Base DN. Is this >> expectation/assumption incorrect? >> >> Thank you, >> >> Benjamin Brenek >> BAYADA Home Health Care | Intern, Support (NES) >> 4300 Haddonfield Road | Pennsuaken, NJ 08109 >> O: 856-380-3008 | Ext: 0527-13 | bayada.com >> >> -----Original Message----- >> From: Nicolas Quiniou-Briand <[email protected]> >> Sent: Thursday, January 10, 2019 10:20 AM >> To: Brenek, Benjamin <[email protected]>; >> [email protected] >> Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and >> Scope are not followed. >> >> CAUTION: This email originated from outside of BAYADA. Beware of links and >> attachments. >> >> >> Hello Benjamin, >> >> On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote: >>> Hi Nicolas, >>> >>> I did as requested. It looks like the authentication comes back with no >>> matches, yet still authenticates the user. Attached is the part of the log >>> that relates to authentication of the user. >> I saw this: >> ``` >> Matched condition SSID equals Company_Employee >> (pf::Authentication::Source::match_rule) >> [..] >> Matched condition SSID equals Company_Employee >> (pf::Authentication::Source::match_rule) >> ``` >> for both LDAP sources. >> >> Did you have rules on your LDAP sources that check the SSID value in place >> of an LDAP attribute ? >> -- >> Nicolas Quiniou-Briand >> [email protected] :: +1.514.447.4918 *140 :: >> https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=https >> % 3A%2F%2Finverse.ca Inverse inc. :: Leaders behind SOGo >> (https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=http >> s >> %3A%2F%2Fsogo.nu), PacketFence >> (https://link.zixcentral.com/u/a0bbc547/SNGYMOsU6RG3087ChnsoMg?u=http >> s >> %3A%2F%2Fpacketfence.org) and Fingerbank >> (https://link.zixcentral.com/u/ded69fd5/cDWZMOsU6RG3087ChnsoMg?u=http >> % >> 3A%2F%2Ffingerbank.org) >> >> --------------------------------------------------------------------- >> - >> ------ Links contained in this email have been replaced by ZixProtect >> Link Protection. If you click on a link in the email above, the link will be >> analyzed for known threats. If a known threat is found, you will not be able >> to proceed to the destination. If suspicious content is detected, you will >> see a warning. >> --------------------------------------------------------------------- >> - >> ------ >> >> Our employees' reviews made us a Best Place to >> Work<https://link.zixcentral.com/u/73e0453c/qv2j1C8V6RGE_MLShnsoMg?u=https%3A%2F%2Fwww.glassdoor.com%2Fsurvey%2Fstart_input.htm%3FshowSurvey%3DREVIEWS%26employerId%3D153924%26contentOriginHook%3DPAGE_SRCH_COMPANIES> >> in 2018 &2019! >> Spread the word and earn a bonus by referring a >> friend.<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20si >> g nature&utm_medium=email&utm_campaign=Glassdoor%20Award> >> >> [Compassion, Excellence, >> Reliability]<https://link.zixcentral.com/u/0527fcad/4kKk1C8V6RGE_MLSh >> n soMg?u=http%3A%2F%2Fbhhc.co%2FBAYemail_site> >> >> [Facebook]<https://link.zixcentral.com/u/d16f1b07/im2k1C8V6RGE_MLShns >> o Mg?u=http%3A%2F%2Fbhhc.co%2FBAYemail_fb> [Twitter] >> <https://link.zixcentral.com/u/e7fb629f/lJWk1C8V6RGE_MLShnsoMg?u=http >> % 3A%2F%2Fbhhc.co%2FBAYemail_tw> [LinkedIn] >> <https://link.zixcentral.com/u/79dba119/MsCk1C8V6RGE_MLShnsoMg?u=http >> % 3A%2F%2Fbhhc.co%2FBAYemail_LI> [YouTube] >> <https://link.zixcentral.com/u/4916fa5a/Cu2k1C8V6RGE_MLShnsoMg?u=http >> % 3A%2F%2Fbhhc.co%2FBAYemail_yt> [Bayada] >> <https://link.zixcentral.com/u/0527fcad/4kKk1C8V6RGE_MLShnsoMg?u=http >> % >> 3A%2F%2Fbhhc.co%2FBAYemail_site> >> >> CONFIDENTIALITY NOTICE: This email may contain information belonging to >> BAYADA and is protected by law. Do not forward, copy, or otherwise disclose >> to anyone unless permitted by BAYADA or required by law. If you are not the >> intended recipient, please notify the sender immediately. >> >> >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://link.zixcentral.com/u/25e30804/aiil1C8V6RGE_MLShnsoMg?u=https >> % >> 3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://link.zixcentral.com/u/25e30804/aiil1C8V6RGE_MLShnsoMg?u=https% > 3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users > > ---------------------------------------------------------------------- > ------ Links contained in this email have been replaced by ZixProtect > Link Protection. If you click on a link in the email above, the link will be > analyzed for known threats. If a known threat is found, you will not be able > to proceed to the destination. If suspicious content is detected, you will > see a warning. > ---------------------------------------------------------------------- > ------ >
profiles.conf
Description: profiles.conf
proxy.conf
Description: proxy.conf
authentication.conf
Description: authentication.conf
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
