Post the result of that command: cat /usr/local/pf/conf/realm.conf
Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Mar 10, 2020, at 12:19 PM, Christian Sudec <c.su...@htlwrn.ac.at> wrote: > > Hi again! > > I ran 'pftest authentication Testy Testpwd' and these are the results: > > Authenticating against 'HTL_AD' in context 'admin' > Authentication SUCCEEDED against HTL_AD (Authentication successful.) > Matched against HTL_AD for 'authentication' rule Teachers > set_role : Teacher > set_access_duration : 1D > Did not match against HTL_AD for 'administration' rules > > Authenticating against 'HTL_AD' in context 'portal' > Authentication SUCCEEDED against HTL_AD (Authentication successful.) > Matched against HTL_AD for 'authentication' rule Teachers > set_role : Teacher > set_access_duration : 1D > Did not match against HTL_AD for 'administration' rules > > So I get the preferred role, but as stated in the logs and in 'Auditing' I > didn't get it... > ??? > > regards > Chris > > On 10.03.2020 16:09, Ludovic Zammit wrote: >> Ok, so if you are doing 802.1x then most of the time you do >> auto-registration where you don’t display the captive portal. >> >> In that case, your access would be computed on the fly. Do that and remove >> device info: >> >> grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log >> >> My guess is that you don’t match or get the VLAN for the proper role. Check >> for the auto register option on the connection profile. >> >> Thanks, >> Ludovic Zammit >> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) >> ::www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >>> On Mar 10, 2020, at 11:04 AM, Christian Sudec <c.su...@htlwrn.ac.at >>> <mailto:c.su...@htlwrn.ac.at>> wrote: >>> >>> Hello Ludovic! >>> >>> >>> On 10.03.2020 14:42, Ludovic Zammit wrote: >>>> Hello Christian, >>>> >>>> Are you doing VLAN enforcement or Role enforcement ? >>> We're doing only 'RADIUS Enforcement' as this is the requirement for 802.1x >>> (both >>> wireless and wired). >>> >>>> On Aruba you have to do one of them, not both at the same time. >>> What do you mean? When doing 802.1x packetfence uses the the username and >>> password >>> with its authentication rules to determine the role (eg. teacher/pupil), >>> which is used in the >>> switch-profile with "Role mapping by VLAN ID" to provide the correct VLAN >>> (772/773). >>> >>>> How are you redirected on the captive portal ? By a radius request ? >>> There ist no captive portal, because no guests are allowed. >>> >>>> Once you get authenticated PF sends a radius disconnect message to the AP >>>> to kick your Mac address out for the client to reconnect immediately and >>>> get the production vlan/role >>> That's my question: there is no Tunnel-Private-Group-ID and no disconnect >>> message. How and where do >>> I set/debug these? >>> >>>> Check the logs/packetfence.log for your Mac address the activity and see >>>> if you can find any error. >>> Nothing useful (at least for me) in there: >>> Mar 10 12:10:22 ippf auth[1659]: (14606) Login OK: [Testy] (from client >>> 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78 via TLS tunnel) >>> Mar 10 12:10:22 ippf auth[1659]: [mac:bc:d1:d3:31:13:78] Accepted user: >>> Testy and returned VLAN >>> Mar 10 12:10:22 ippf auth[1659]: (14607) Login OK: [Testy] (from client >>> 10.71.100.63/32 port 0 cli bc:d1:d3:31:13:78) >>> >>> As you can see: returned VLAN - but I don't get one... >>> >>> kind regards >>>> >>>> Thanks, >>>> Ludovic Zammit >>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> >>>> <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) ::www.inverse.ca >>>> <http://www.inverse.ca> >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> >>>>> On Mar 10, 2020, at 8:00 AM, Christian Sudec via PacketFence-users >>>>> <packetfence-users@lists.sourceforge.net >>>>> <mailto:packetfence-users@lists.sourceforge.net> >>>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>>>> >>>>> Hi everybody! >>>>> >>>>> First the current situation so far: >>>>> >>>>> We installed a test-network, where the packetfence-server is reachable >>>>> with an ip 10.5.1.4 (type management) >>>>> and set 'RADIUS enforcement' as chosen method. >>>>> >>>>> Next we installed a Mikrotik-Switch (POE) with 4 VLANS (771-774) and >>>>> attached an Aruba-AP to a trunk port >>>>> with the mentioned VLANs. The default VLAN is 771 and the AP gets an IP >>>>> and can connect to the pf-server. >>>>> >>>>> Now we created an authentication-source to our AD and created a >>>>> switch-template for the AP. There are two >>>>> roles based on AD-group-membership: teachers (VID 772) and pupils (VID >>>>> 773) - set in the switch profile under >>>>> 'Role mapping by VLAN ID'. >>>>> >>>>> As far as it was possible, we set up the AP according to the packetfence >>>>> device configuration guide, because >>>>> the guide refers to ArubaOS 5.x, but we are already at 8.6.0.2. >>>>> >>>>> Now we are stuck: everybody can login with an ad-username (and pasword), >>>>> but the user doesn't get >>>>> transferred to the correct vlan and stays in the default. In 'Auditing' I >>>>> can see at 'Node Information' the >>>>> Role N/A and there is no Tunnel-Private-Group-ID in the RADIUS Reply. >>>>> >>>>> Can somebody enlighten me on what to check or what to set / how to debug? >>>>> >>>>> kind regards >>>>> Chris >>>>> >>>>> >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> PacketFence-users@lists.sourceforge.net >>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
