Hello, Could you paste your conf/authentication.conf, remove private infos.
Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Sep 28, 2020, at 3:57 AM, Fetakungen Virtual Adventurer > <[email protected]> wrote: > > vim-foradsgatan-d1s1-a1 is the account name yes, I tried to set the role to > unset as it was before with the same result still not matching any ad rule. > The AD rule is matched in the pftest though.. > > Why doesn’t it match my AD rule ? It should at least match my catch all guest > rule ? > > <image001.png> > > Thanks a lot for help and input. > > BR, > Anton > > Från: Ludovic Zammit <[email protected] <mailto:[email protected]>> > Skickat: den 25 september 2020 14:28 > Till: Fetakungen Virtual Adventurer <[email protected]> > Kopia: [email protected] > Ämne: Re: [PacketFence-users] Packetfence set role by mac not user... > > Correct, it works because you have assigned manually and the issue there is > that it does not match the rule of your AD thus not getting any authorization. > > Fix that and it will fix your issue. > > Is vim-foradsgatan-d1s1-a1 a samaccountname ? > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <http://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > On Sep 24, 2020, at 5:43 PM, Fetakungen Virtual Adventurer > <[email protected] <mailto:[email protected]>> wrote: > > Thanks, tried but the same result. User Gets approved but role get decided by > the “node” so if I don’t assign a role after the node is registered it does > the same. If i assign a role the node / mac the system assign the role to the > user as expected. > > This is how it looks with a role assigned to the node. My vlan is assigned > correctly, but since I now have to set the vlan manually for every node my > user group rules does squat… > > > > > > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] handling radius autz request: from switch_ip => > (10.0.10.11), connection_type => Ethernet-NoEAP,switch_mac => > (08:f1:ea:64:c4:00), mac => [08:f1:ea:3f:11:40], port => 8, username => > "[email protected] > <mailto:[email protected]>" (pf::radius::authorize) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Found authentication source(s) : 'xxxxx' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) WARN: > [mac:08:f1:ea:3f:11:40] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Found authentication source(s) : 'xxxxx' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Connection type is MAC-AUTH. Getting role from > node_info (pf::role::getRegisteredRole) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Username was defined > "[email protected] > <mailto:[email protected]>" - returning role 'Office_Switch' > (pf::role::getRegisteredRole) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] PID: "default", Status: reg Returned VLAN: > (undefined), Role: Office_Switch (pf::role::fetchRoleForNode) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] (10.0.10.11) Added VLAN 1 to the returned RADIUS > Access-Accept (pf::Switch::returnRadiusAccessAccept) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] security_event 1300003 force-closed for > 08:f1:ea:3f:11:40 (pf::security_event::security_event_force_close) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] handling radius autz request: from switch_ip => > (10.0.10.11), connection_type => Ethernet-NoEAP,switch_mac => > (08:f1:ea:64:c4:00), mac => [08:f1:ea:3f:11:40], port => 8, username => > "[email protected] > <mailto:[email protected]>" (pf::radius::authorize) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Found authentication source(s) : 'xxxxx' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) WARN: > [mac:08:f1:ea:3f:11:40] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Found authentication source(s) : 'xxxxx' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Connection type is MAC-AUTH. Getting role from > node_info (pf::role::getRegisteredRole) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Username was defined > "[email protected] > <mailto:[email protected]>" - returning role 'Office_Switch' > (pf::role::getRegisteredRole) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] PID: "default", Status: reg Returned VLAN: > (undefined), Role: Office_Switch (pf::role::fetchRoleForNode) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] (10.0.10.11) Added VLAN 1 to the returned RADIUS > Access-Accept (pf::Switch::returnRadiusAccessAccept) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] security_event 1300003 force-closed for > 08:f1:ea:3f:11:40 (pf::security_event::security_event_force_close) > Sep 24 20:01:07 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(2126) INFO: > [mac:08:f1:ea:3f:11:40] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > > > “] Connection type is MAC-AUTH. Getting role from node_info” Why does it > claim mac auth at all after the user auth ? > > BR, > Anton. > > Från: Ludovic Zammit <[email protected] <mailto:[email protected]>> > Skickat: den 24 september 2020 16:56 > Till: [email protected] > <mailto:[email protected]> > Kopia: Fetakungen Virtual Adventurer <[email protected] > <mailto:[email protected]>> > Ämne: Re: [PacketFence-users] Packetfence set role by mac not user... > > Hello there, > > You need to split the username in your default realm: > > <image001.png> > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <http://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > > On Sep 23, 2020, at 5:59 PM, Fetakungen Virtual Adventurer via > PacketFence-users <[email protected] > <mailto:[email protected]>> wrote: > > Hi I’ve stil have problem with my role assignment when im trying to use > radius auth for my HP Access Switches. > > The config is aaa authentication port-access chap-radius Server-group "XX” / > aaa port-access authenticator X/XX on the Authenticating switch which in this > case is 10.0.20.2 and the access switch (supplicant) config is : aaa > port-access supplicant 25 identity [email protected] > <mailto:[email protected]> secret yyyyy > > The authentication request is approved but instead of using the username for > role assignment it seems to use the “node” role which is put on the access > switch mac in this case f8:60:f0:33:00:80 when the node is “auto registered” > as the role by default is no role, no role is assigned. So there is the > “explantion”, but why is this happening ? > > In the authentication source which is being used the rule are to put the > switch with role “office_switch”. But since packetfence only authenticate the > user and then try so assign role by mac this fails/ are being skipped.. > > This rule works fine with pftest… The output of pftest is this: > > Authenticating against 'VEMAB' in context 'admin' > Authentication SUCCEEDED against VEMAB (Authentication successful.) > Matched against VEMAB for 'authentication' rule SWITCH > set_role : Office_Switch > set_access_duration : 1D > Did not match against VEMAB for 'administration' rules > > Authenticating against 'VEMAB' in context 'portal' > Authentication SUCCEEDED against VEMAB (Authentication successful.) > Matched against VEMAB for 'authentication' rule SWITCH > set_role : Office_Switch > set_access_duration : 1D > Did not match against VEMAB for 'administration' rules > > > > > The output of packetfence.log when doing real auth is this: > > > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] handling radius autz request: from switch_ip => > (10.0.20.2), connection_type => Ethernet-NoEAP,switch_mac => > (38:21:c7:4e:d1:22), mac => [f8:60:f0:33:00:80], port => 27, username => > "[email protected] <mailto:[email protected]>" (pf::radius::authorize) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Connection type is MAC-AUTH. Getting role from > node_info (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $role in concatenation (.) > or string at /usr/local/pf/lib/pf/role.pm line 489. > (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Username was NOT defined or unable to match a role - > returning node based role '' (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] PID: "default", Status: reg Returned VLAN: > (undefined), Role: (undefined) (pf::role::fetchRoleForNode) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $vlanName in hash element > at /usr/local/pf/lib/pf/Switch.pm line 608. > (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $vlanName in concatenation > (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611. > (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] No parameter Vlan found in conf/switches.conf for the > switch 10.0.20.2 (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] security_event 1300003 force-closed for > f8:60:f0:33:00:80 (pf::security_event::security_event_force_close) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] handling radius autz request: from switch_ip => > (10.0.20.2), connection_type => Ethernet-NoEAP,switch_mac => > (38:21:c7:4e:d1:22), mac => [f8:60:f0:33:00:80], port => 27, username => > "[email protected] <mailto:[email protected]>" (pf::radius::authorize) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Found authentication source(s) : 'VEMAB' for realm > 'default' (pf::config::util::filter_authentication_sources) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Connection type is MAC-AUTH. Getting role from > node_info (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $role in concatenation (.) > or string at /usr/local/pf/lib/pf/role.pm line 489. > (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Username was NOT defined or unable to match a role - > returning node based role '' (pf::role::getRegisteredRole) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] PID: "default", Status: reg Returned VLAN: > (undefined), Role: (undefined) (pf::role::fetchRoleForNode) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $vlanName in hash element > at /usr/local/pf/lib/pf/Switch.pm line 608. > (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] Use of uninitialized value $vlanName in concatenation > (.) or string at /usr/local/pf/lib/pf/Switch.pm line 611. > (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) WARN: > [mac:f8:60:f0:33:00:80] No parameter Vlan found in conf/switches.conf for the > switch 10.0.20.2 (pf::Switch::getVlanByName) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] security_event 1300003 force-closed for > f8:60:f0:33:00:80 (pf::security_event::security_event_force_close) > Sep 23 23:26:08 RADIUS-1 packetfence_httpd.aaa: httpd.aaa(1303) INFO: > [mac:f8:60:f0:33:00:80] Instantiate profile LAN > (pf::Connection::ProfileFactory::_from_profile) > > Why does it claim this to be “Connection type is MAC-AUTH” ? > > > BR, > Anton. > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
