Hi again!
I ran 'pftest authentication Testy Testpwd' and these are the results:
Authenticating against 'HTL_AD' in context 'admin'
Authentication SUCCEEDED against HTL_AD (Authentication successful.)
Matched against HTL_AD for 'authentication' rule Teachers
set_role : Teacher
set_access_duration : 1D
Did not match against HTL_AD for 'administration' rules
Authenticating against 'HTL_AD' in context 'portal'
Authentication SUCCEEDED against HTL_AD (Authentication successful.)
Matched against HTL_AD for 'authentication' rule Teachers
set_role : Teacher
set_access_duration : 1D
Did not match against HTL_AD for 'administration' rules
So I get the preferred role, but as stated in the logs and in 'Auditing'
I didn't get it...
???
regards
Chris
On 10.03.2020 16:09, Ludovic Zammit wrote:
Ok, so if you are doing 802.1x then most of the time you do
auto-registration where you don’t display the captive portal.
In that case, your access would be computed on the fly. Do that and
remove device info:
grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log
My guess is that you don’t match or get the VLAN for the proper role.
Check for the auto register option on the connection profile.
Thanks,
Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145)
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Mar 10, 2020, at 11:04 AM, Christian Sudec <c.su...@htlwrn.ac.at
<mailto:c.su...@htlwrn.ac.at>> wrote:
Hello Ludovic!
On 10.03.2020 14:42, Ludovic Zammit wrote:
Hello Christian,
Are you doing VLAN enforcement or Role enforcement ?
We're doing only 'RADIUS Enforcement' as this is the requirement for
802.1x (both
wireless and wired).
On Aruba you have to do one of them, not both at the same time.
What do you mean? When doing 802.1x packetfence uses the the username
and password
with its authentication rules to determine the role (eg.
teacher/pupil), which is used in the
switch-profile with "Role mapping by VLAN ID" to provide the correct
VLAN (772/773).
How are you redirected on the captive portal ? By a radius request ?
There ist no captive portal, because no guests are allowed.
Once you get authenticated PF sends a radius disconnect message to
the AP to kick your Mac address out for the client to reconnect
immediately and get the production vlan/role
That's my question: there is no Tunnel-Private-Group-ID and no
disconnect message. How and where do
I set/debug these?
Check the logs/packetfence.log for your Mac address the activity and
see if you can find any error.
Nothing useful (at least for me) in there:
Mar 10 12:10:22 ippf auth[1659]: (14606) Login OK: [Testy] (from
client 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78 via TLS tunnel)
Mar 10 12:10:22 ippf auth[1659]: [mac:bc:d1:d3:31:13:78] Accepted
user: Testy and returned VLAN
Mar 10 12:10:22 ippf auth[1659]: (14607) Login OK: [Testy] (from
client 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78)
As you can see: returned VLAN - but I don't get one...
kind regards
Thanks,
Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca>
<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
On Mar 10, 2020, at 8:00 AM, Christian Sudec via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
Hi everybody!
First the current situation so far:
We installed a test-network, where the packetfence-server is
reachable with an ip 10.5.1.4 (type management)
and set 'RADIUS enforcement' as chosen method.
Next we installed a Mikrotik-Switch (POE) with 4 VLANS (771-774)
and attached an Aruba-AP to a trunk port
with the mentioned VLANs. The default VLAN is 771 and the AP gets
an IP and can connect to the pf-server.
Now we created an authentication-source to our AD and created a
switch-template for the AP. There are two
roles based on AD-group-membership: teachers (VID 772) and pupils
(VID 773) - set in the switch profile under
'Role mapping by VLAN ID'.
As far as it was possible, we set up the AP according to the
packetfence device configuration guide, because
the guide refers to ArubaOS 5.x, but we are already at 8.6.0.2.
Now we are stuck: everybody can login with an ad-username (and
pasword), but the user doesn't get
transferred to the correct vlan and stays in the default. In
'Auditing' I can see at 'Node Information' the
Role N/A and there is no Tunnel-Private-Group-ID in the RADIUS Reply.
Can somebody enlighten me on what to check or what to set / how to
debug?
kind regards
Chris
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
