Good morning, I'm looking to assign a user a role, based on their membership in AD and have that returned to the FortiGate to allow the user to connect to the VPN.
User login comes in from the VPN. The User Authenticates. User-Name = "chris" NAS-IP-Address = 10.10.20.10 Called-Station-Id = "10.10.20.10" Calling-Station-Id = "10.10.10.10" NAS-Identifier = "FortiGate" Proxy-State = 0x313631 NAS-Port-Type = Virtual Acct-Session-Id = "46906026" Event-Timestamp = "May 11 2021 10:23:26 ADT" Connect-Info = "vpn-ssl" Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044 Fortinet-Vdom-Name = "root" MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b MS-CHAP2-Response = 0x7e00806b361b428955e2c7df110c101a8be4000000000000000050fe07df152cd08c0445ee178820959c7bb361acf054930c Stripped-User-Name = "chris" Realm = "null" FreeRADIUS-Client-IP-Address = packetfenceVIP PacketFence-Domain = "DOMAIN" PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39" PacketFence-Radius-Ip = "packetfence1" PacketFence-NTLMv2-Only = "--allow-mschapv2" User-Password = "******" SQL-User-Name = "chris" RADIUS Reply MS-CHAP2-Success = 0x7e533d45464232384144444444433243304643323339413633424430303635354336354243423341423039 Proxy-State = 0x313631 I have a connection profile that it's supposed to flow though: 'SSLVPN-90e-Test' => { 'billing_tiers' => [], 'filter_match_style' => 'all', 'preregistration' => 'disabled', 'sms_pin_retry_limit' => '0', 'unbound_dpsk' => 'disabled', 'locale' => [], 'vlan_pool_technique' => 'username_hash', 'always_use_redirecturl' => 'disabled', 'login_attempt_limit' => '0', 'template_paths' => [ '/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test', '/usr/local/pf/html/captive-portal/profile-templates/default', '/usr/local/pf/html/captive-portal/templates' ], 'guest_modes' => '', 'description' => 'SSLVPN', 'network_logoff_popup' => 'disabled', 'reuse_dot1x_credentials' => '0', 'sources' => [ 'DOMAIN-SSLVPN' ], 'access_registration_when_registered' => 'disabled', 'block_interval' => 600, 'advanced_filter' => '', 'provisioners' => [], 'dot1x_recompute_role_from_portal' => 'enabled', 'dot1x_unset_on_unmatch' => 'disabled', 'status' => 'enabled', 'unreg_on_acct_stop' => 'disabled', 'root_module' => 'default_policy', 'sms_request_limit' => '0', 'network_logoff' => 'disabled', 'dpsk' => 'disabled', 'filter' => [ 'tenant:1', 'switch_group:VPN-Server' ], 'mac_auth_recompute_role_from_portal' => 'disabled', 'autoregister' => 'disabled', 'scans' => [], 'redirecturl' => 'http://www.packetfence.org/', 'logo' => '/common/packetfence-cp.png', 'self_service' => 'default' This is the source: bless( { 'cache_match' => '0', 'realms' => [], 'read_timeout' => '10', 'basedn' => 'DC=ad,DC=domain,DC=ca', 'monitor' => '1', 'rules' => [ bless( { 'cache_key' => 'memberOf,equals,CN=NETWORKS,OU=Users,OU=Secured Groups,OU=NAC,OU=Protected Groups,OU=Admin,DC=ad DC=domain,DC=ca', 'actions' => [ bless( { 'value' => 'SSLVPN-NetAdmin', 'type' => 'set_role', 'class' => 'authentication' }, 'pf::Authentication::Action' ), bless( { 'value' => '1D', 'type' => 'set_access_duration', 'class' => 'authentication' }, 'pf::Authentication::Action' ) ], 'status' => 'enabled', 'match' => 'all', 'description' => 'SSLVPN NetAdmin group', 'class' => 'authentication', 'id' => 'SSLVPN-NetAdmin', 'conditions' => [ bless( { 'operator' => 'equals', 'attribute' => 'memberOf', 'value' => 'CN=NETWORKS,OU=Users,OU=Secured Groups,OU=NAC,OU=Protected Groups,OU=Admin,DC=ad DC=domain,DC=ca' }, 'pf::Authentication::Condition' ) ] }, 'pf::Authentication::Rule' ) ], 'password' => 'h2M6z!A^z#kA3kHLG^XrQL6M9UcMos', 'dynamic_routing_module' => 'AuthModule', 'shuffle' => '1', 'searchattributes' => [ 'sAMAccountName' ], 'id' => 'Domain-SSLVPN', 'scope' => 'sub', 'unique' => 0, 'email_attribute' => 'mail', 'usernameattribute' => 'sAMAccountName', 'dead_duration' => '60', 'connection_timeout' => '1', 'binddn' => 'CN=PacketFence Authentication,OU=Service Accounts,OU=Admin,DC=ad,DC=domain,DC=ca', 'encryption' => 'ssl', 'description' => 'Domain - People Authentication - SSLVPN', 'port' => '636', 'host' => [ 'ad1.ad.domain.ca', 'ad2.ad.domain.ca', 'ad3.ad.domain.ca' ], 'write_timeout' => '5', 'type' => 'AD', 'class' => 'internal' }, 'pf::Authentication::Source::ADSource' ), Here is the Switch group and switch: [172.18.1.90] description=TEST VPN with FG90E group=VPN-Server radiusSecret=testVPN SSLVPN-NetAdminRole=SSLVPN-NetAdmin SSLVPN-NetAdminVlan=999 RoleMap=Y VlanMap=N [group VPN-Server] description=VPN Authentication VoIPDHCPDetect=N cliAccess=Y type=Fortinet::FortiGate VlanMap=N SSLVPN-NetAdminRole=SSLVPN-NetAdmin RoleMap=Y radiusSecret=testVPN Here is the Radius-Filter: [SSLVPN-NetAdmin] status=enabled top_op=and description=test sslvpn scopes=returnRadiusAccessAccept merge_answer=yes condition=switch._ip == "172.18.1.90" && switch._roles == "SSLVPN-NetAdmin" answer.0=reply:Fortinet-Group-Name = VPN-ITS-NetServ But, it doesn't seem to hit the Radius-Filter. Cheers, Chris
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users