Good morning,
I'm looking to assign a user a role, based on their membership in AD and have
that returned to the FortiGate to allow the user to connect to the VPN.
User login comes in from the VPN. The User Authenticates.
User-Name = "chris"
NAS-IP-Address = 10.10.20.10
Called-Station-Id = "10.10.20.10"
Calling-Station-Id = "10.10.10.10"
NAS-Identifier = "FortiGate"
Proxy-State = 0x313631
NAS-Port-Type = Virtual
Acct-Session-Id = "46906026"
Event-Timestamp = "May 11 2021 10:23:26 ADT"
Connect-Info = "vpn-ssl"
Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044
Fortinet-Vdom-Name = "root"
MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b
MS-CHAP2-Response =
0x7e00806b361b428955e2c7df110c101a8be4000000000000000050fe07df152cd08c0445ee178820959c7bb361acf054930c
Stripped-User-Name = "chris"
Realm = "null"
FreeRADIUS-Client-IP-Address = packetfenceVIP
PacketFence-Domain = "DOMAIN"
PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39"
PacketFence-Radius-Ip = "packetfence1"
PacketFence-NTLMv2-Only = "--allow-mschapv2"
User-Password = "******"
SQL-User-Name = "chris"
RADIUS Reply
MS-CHAP2-Success =
0x7e533d45464232384144444444433243304643323339413633424430303635354336354243423341423039
Proxy-State = 0x313631
I have a connection profile that it's supposed to flow though:
'SSLVPN-90e-Test' => {
'billing_tiers' => [],
'filter_match_style' => 'all',
'preregistration' => 'disabled',
'sms_pin_retry_limit' => '0',
'unbound_dpsk' => 'disabled',
'locale' => [],
'vlan_pool_technique' => 'username_hash',
'always_use_redirecturl' => 'disabled',
'login_attempt_limit' => '0',
'template_paths' => [
'/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test',
'/usr/local/pf/html/captive-portal/profile-templates/default',
'/usr/local/pf/html/captive-portal/templates'
],
'guest_modes' => '',
'description' => 'SSLVPN',
'network_logoff_popup' => 'disabled',
'reuse_dot1x_credentials' => '0',
'sources' => [
'DOMAIN-SSLVPN'
],
'access_registration_when_registered' =>
'disabled',
'block_interval' => 600,
'advanced_filter' => '',
'provisioners' => [],
'dot1x_recompute_role_from_portal' => 'enabled',
'dot1x_unset_on_unmatch' => 'disabled',
'status' => 'enabled',
'unreg_on_acct_stop' => 'disabled',
'root_module' => 'default_policy',
'sms_request_limit' => '0',
'network_logoff' => 'disabled',
'dpsk' => 'disabled',
'filter' => [
'tenant:1',
'switch_group:VPN-Server'
],
'mac_auth_recompute_role_from_portal' =>
'disabled',
'autoregister' => 'disabled',
'scans' => [],
'redirecturl' => 'http://www.packetfence.org/',
'logo' => '/common/packetfence-cp.png',
'self_service' => 'default'
This is the source:
bless( {
'cache_match' => '0',
'realms' => [],
'read_timeout' => '10',
'basedn' => 'DC=ad,DC=domain,DC=ca',
'monitor' => '1',
'rules' => [
bless( {
'cache_key' => 'memberOf,equals,CN=NETWORKS,OU=Users,OU=Secured
Groups,OU=NAC,OU=Protected Groups,OU=Admin,DC=ad DC=domain,DC=ca',
'actions' => [
bless( {
'value' => 'SSLVPN-NetAdmin',
'type' => 'set_role',
'class' => 'authentication'
},
'pf::Authentication::Action' ),
bless( {
'value' => '1D',
'type' => 'set_access_duration',
'class' => 'authentication'
},
'pf::Authentication::Action' )
],
'status' => 'enabled',
'match' => 'all',
'description' => 'SSLVPN NetAdmin group',
'class' => 'authentication',
'id' => 'SSLVPN-NetAdmin',
'conditions' => [
bless( {
'operator' =>
'equals',
'attribute' =>
'memberOf',
'value' =>
'CN=NETWORKS,OU=Users,OU=Secured Groups,OU=NAC,OU=Protected
Groups,OU=Admin,DC=ad DC=domain,DC=ca'
},
'pf::Authentication::Condition' )
]
}, 'pf::Authentication::Rule' )
],
'password' => 'h2M6z!A^z#kA3kHLG^XrQL6M9UcMos',
'dynamic_routing_module' => 'AuthModule',
'shuffle' => '1',
'searchattributes' => [
'sAMAccountName'
],
'id' => 'Domain-SSLVPN',
'scope' => 'sub',
'unique' => 0,
'email_attribute' => 'mail',
'usernameattribute' => 'sAMAccountName',
'dead_duration' => '60',
'connection_timeout' => '1',
'binddn' => 'CN=PacketFence Authentication,OU=Service
Accounts,OU=Admin,DC=ad,DC=domain,DC=ca',
'encryption' => 'ssl',
'description' => 'Domain - People Authentication - SSLVPN',
'port' => '636',
'host' => [
'ad1.ad.domain.ca',
'ad2.ad.domain.ca',
'ad3.ad.domain.ca'
],
'write_timeout' => '5',
'type' => 'AD',
'class' => 'internal'
}, 'pf::Authentication::Source::ADSource' ),
Here is the Switch group and switch:
[172.18.1.90]
description=TEST VPN with FG90E
group=VPN-Server
radiusSecret=testVPN
SSLVPN-NetAdminRole=SSLVPN-NetAdmin
SSLVPN-NetAdminVlan=999
RoleMap=Y
VlanMap=N
[group VPN-Server]
description=VPN Authentication
VoIPDHCPDetect=N
cliAccess=Y
type=Fortinet::FortiGate
VlanMap=N
SSLVPN-NetAdminRole=SSLVPN-NetAdmin
RoleMap=Y
radiusSecret=testVPN
Here is the Radius-Filter:
[SSLVPN-NetAdmin]
status=enabled
top_op=and
description=test sslvpn
scopes=returnRadiusAccessAccept
merge_answer=yes
condition=switch._ip == "172.18.1.90" && switch._roles == "SSLVPN-NetAdmin"
answer.0=reply:Fortinet-Group-Name = VPN-ITS-NetServ
But, it doesn't seem to hit the Radius-Filter.
Cheers,
Chris
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
