Correct, it works because you have assigned manually and the issue there is that it does not match the rule of your AD thus not getting any authorization.
Fix that and it will fix your issue. Is vim-foradsgatan-d1s1-a1 a samaccountname ? Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Sep 24, 2020, at 5:43 PM, Fetakungen Virtual Adventurer > <[email protected]> wrote: > > Thanks, tried but the same result. User Gets approved but role get decided by > the “node” so if I don’t assign a role after the node is registered it does > the same. If i assign a role the node / mac the system assign the role to the > user as expected. > > This is how it looks with a role assigned to the node. My vlan is assigned > correctly, but since I now have to set the vlan manually for every node my > user group rules does squat… > > > > > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] handling radius autz request: from switch_ip => > (10.0.10.11), connection_type => Ethernet-NoEAP,switch_mac => > (08:f1:ea:64:c4:00), mac => [08:f1:ea:3f:11:40], port => 8, username => > "[email protected] > <mailto:[email protected]>" (pf::radius::authorize) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Found authentication source(s) : 'xxxxx' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) WARN: > [mac:08:f1:ea:3f:11:40] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Found authentication source(s) : 'xxxxx' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Connection type is MAC-AUTH. Getting role from > node_info (pf::role::getRegisteredRole) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Username was defined > "[email protected] > <mailto:[email protected]>" - returning role 'Office_Switch' > (pf::role::getRegisteredRole) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] PID: "default", Status: reg Returned VLAN: > (undefined), Role: Office_Switch (pf::role::fetchRoleForNode) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] (10.0.10.11) Added VLAN 1 to the returned RADIUS > Access-Accept (pf::Switch::returnRadiusAccessAccept) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] security_event 1300003 force-closed for > 08:f1:ea:3f:11:40 (pf::security_event::security_event_force_close) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] handling radius autz request: from switch_ip => > (10.0.10.11), connection_type => Ethernet-NoEAP,switch_mac => > (08:f1:ea:64:c4:00), mac => [08:f1:ea:3f:11:40], port => 8, username => > "[email protected] > <mailto:[email protected]>" (pf::radius::authorize) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Found authentication source(s) : 'xxxxx' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) WARN: > [mac:08:f1:ea:3f:11:40] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Found authentication source(s) : 'xxxxx' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Connection type is MAC-AUTH. Getting role from > node_info (pf::role::getRegisteredRole) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Username was defined > "[email protected] > <mailto:[email protected]>" - returning role 'Office_Switch' > (pf::role::getRegisteredRole) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] PID: "default", Status: reg Returned VLAN: > (undefined), Role: Office_Switch (pf::role::fetchRoleForNode) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] (10.0.10.11) Added VLAN 1 to the returned RADIUS > Access-Accept (pf::Switch::returnRadiusAccessAccept) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] security_event 1300003 force-closed for > 08:f1:ea:3f:11:40 (pf::security_event::security_event_force_close) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > > > “] Connection type is MAC-AUTH. Getting role from node_info” Why does it > claim mac auth at all after the user auth ? > > BR, > Anton. > > Från: Ludovic Zammit <[email protected] <mailto:[email protected]>> > Skickat: den 24 september 2020 16:56 > Till: [email protected] > <mailto:[email protected]> > Kopia: Fetakungen Virtual Adventurer <[email protected] > <mailto:[email protected]>> > Ämne: Re: [PacketFence-users] Packetfence set role by mac not user... > > Hello there, > > You need to split the username in your default realm: > > <image001.png> > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <http://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > On Sep 23, 2020, at 5:59 PM, Fetakungen Virtual Adventurer via > PacketFence-users <[email protected] > <mailto:[email protected]>> wrote: > > Hi I’ve stil have problem with my role assignment when im trying to use > radius auth for my HP Access Switches. > > The config is aaa authentication port-access chap-radius Server-group "XX” / > aaa port-access authenticator X/XX on the Authenticating switch which in this > case is 10.0.20.2 and the access switch (supplicant) config is : aaa > port-access supplicant 25 identity [email protected] > <mailto:[email protected]> secret yyyyy > > The authentication request is approved but instead of using the username for > role assignment it seems to use the “node” role which is put on the access > switch mac in this case f8:60:f0:33:00:80 when the node is “auto registered” > as the role by default is no role, no role is assigned. So there is the > “explantion”, but why is this happening ? > > In the authentication source which is being used the rule are to put the > switch with role “office_switch”. But since packetfence only authenticate the > user and then try so assign role by mac this fails/ are being skipped.. > > This rule works fine with pftest… The output of pftest is this: > > Authenticating against 'VEMAB' in context 'admin' > Authentication SUCCEEDED against VEMAB (Authentication successful.) > Matched against VEMAB for 'authentication' rule SWITCH > set_role : Office_Switch > set_access_duration : 1D > Did not match against VEMAB for 'administration' rules > > Authenticating against 'VEMAB' in context 'portal' > Authentication SUCCEEDED against VEMAB (Authentication successful.) > Matched against VEMAB for 'authentication' rule SWITCH > set_role : Office_Switch > set_access_duration : 1D > Did not match against VEMAB for 'administration' rules > > > > The output of packetfence.log when doing real auth is this: > > > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] handling radius autz request: from switch_ip => > (10.0.20.2), connection_type => Ethernet-NoEAP,switch_mac => > (38:21:c7:4e:d1:22), mac => [f8:60:f0:33:00:80], port => 27, username => > "[email protected] <mailto:[email protected]>" (pf::radius::authorize) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Connection type is MAC-AUTH. Getting role from > node_info (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $role in concatenation (.) > or string at /usr/local/pf/lib/pf/role.pm line 489. > (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Username was NOT defined or unable to match a role - > returning node based role '' (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] PID: "default", Status: reg Returned VLAN: > (undefined), Role: (undefined) (pf::role::fetchRoleForNode) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $vlanName in hash element > at /usr/local/pf/lib/pf/Switch.pm line 608. > (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $vlanName in concatenation > (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611. > (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] No parameter Vlan found in conf/switches.conf for the > switch 10.0.20.2 (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] security_event 1300003 force-closed for > f8:60:f0:33:00:80 (pf::security_event::security_event_force_close) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] handling radius autz request: from switch_ip => > (10.0.20.2), connection_type => Ethernet-NoEAP,switch_mac => > (38:21:c7:4e:d1:22), mac => [f8:60:f0:33:00:80], port => 27, username => > "[email protected] <mailto:[email protected]>" (pf::radius::authorize) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Connection type is MAC-AUTH. Getting role from > node_info (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $role in concatenation (.) > or string at /usr/local/pf/lib/pf/role.pm line 489. > (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Username was NOT defined or unable to match a role - > returning node based role '' (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] PID: "default", Status: reg Returned VLAN: > (undefined), Role: (undefined) (pf::role::fetchRoleForNode) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $vlanName in hash element > at /usr/local/pf/lib/pf/Switch.pm line 608. > (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $vlanName in concatenation > (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611. > (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] No parameter Vlan found in conf/switches.conf for the > switch 10.0.20.2 (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] security_event 1300003 force-closed for > f8:60:f0:33:00:80 (pf::security_event::security_event_force_close) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > > Why does it claim this to be “Connection type is MAC-AUTH” ? > > > BR, > Anton. > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
