Thank you for the reply. Is this something that we may be able to expect for PacketFence 11? Or for a much further release?
Is this functionality that I can implement using radius filters? Or is there another switch type (PacketFence::Default as example) that I could use in conjunction with a radius filter to accomplish the task in the interim? And furthermore, I don’t see a specific GitHub issue for this, do you want me to open one? I have not tried it, but, I assume I’ll have the same problem with CLI Switch access on Nortel/Avaya/Extreme switches? Thanks so much! Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: Fabrice Durand <oeufd...@gmail.com> Sent: Tuesday, May 11, 2021 11:03:37 PM To: packetfence-users@lists.sourceforge.net <packetfence-users@lists.sourceforge.net> Cc: Chris Crawford <chris.crawf...@unb.ca> Subject: Re: [PacketFence-users] FortiGate VPN Auth based on AD Group Membership ✉External message: Use caution. Hello Chris, First we don't compute the role from the source for Fortigate, we just do a mschap verification then if it's authenticated then we allow the access. It misses a little bit of code to do that but it's not something really complicated. Next the condition in the radius filter you should try: condition=switch._ip == "172.18.1.90" && connection_type == "VPN-Access" Btw i will have to work on the VPN code soon so i will add the logic to compute the role of the user to return the radius attribute Fortinet-Group-Name Regards Fabrice Le mar. 11 mai 2021 à 09:55, Chris Crawford via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> a écrit : Good morning, I’m looking to assign a user a role, based on their membership in AD and have that returned to the FortiGate to allow the user to connect to the VPN. User login comes in from the VPN. The User Authenticates. User-Name = "chris" NAS-IP-Address = 10.10.20.10 Called-Station-Id = "10.10.20.10" Calling-Station-Id = "10.10.10.10" NAS-Identifier = "FortiGate" Proxy-State = 0x313631 NAS-Port-Type = Virtual Acct-Session-Id = "46906026" Event-Timestamp = "May 11 2021 10:23:26 ADT" Connect-Info = "vpn-ssl" Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044 Fortinet-Vdom-Name = "root" MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b MS-CHAP2-Response = 0x7e00806b361b428955e2c7df110c101a8be4000000000000000050fe07df152cd08c0445ee178820959c7bb361acf054930c Stripped-User-Name = "chris" Realm = "null" FreeRADIUS-Client-IP-Address = packetfenceVIP PacketFence-Domain = "DOMAIN" PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39" PacketFence-Radius-Ip = "packetfence1" PacketFence-NTLMv2-Only = "--allow-mschapv2" User-Password = "******" SQL-User-Name = "chris" RADIUS Reply MS-CHAP2-Success = 0x7e533d45464232384144444444433243304643323339413633424430303635354336354243423341423039 Proxy-State = 0x313631 I have a connection profile that it’s supposed to flow though: 'SSLVPN-90e-Test' => { 'billing_tiers' => [], 'filter_match_style' => 'all', 'preregistration' => 'disabled', 'sms_pin_retry_limit' => '0', 'unbound_dpsk' => 'disabled', 'locale' => [], 'vlan_pool_technique' => 'username_hash', 'always_use_redirecturl' => 'disabled', 'login_attempt_limit' => '0', 'template_paths' => [ '/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test', '/usr/local/pf/html/captive-portal/profile-templates/default', '/usr/local/pf/html/captive-portal/templates' ], 'guest_modes' => '', 'description' => 'SSLVPN', 'network_logoff_popup' => 'disabled', 'reuse_dot1x_credentials' => '0', 'sources' => [ 'DOMAIN-SSLVPN' ], 'access_registration_when_registered' => 'disabled', 'block_interval' => 600, 'advanced_filter' => '', 'provisioners' => [], 'dot1x_recompute_role_from_portal' => 'enabled', 'dot1x_unset_on_unmatch' => 'disabled', 'status' => 'enabled', 'unreg_on_acct_stop' => 'disabled', 'root_module' => 'default_policy', 'sms_request_limit' => '0', 'network_logoff' => 'disabled', 'dpsk' => 'disabled', 'filter' => [ 'tenant:1', 'switch_group:VPN-Server' ], 'mac_auth_recompute_role_from_portal' => 'disabled', 'autoregister' => 'disabled', 'scans' => [], 'redirecturl' => 'http://www.packetfence.org/', 'logo' => '/common/packetfence-cp.png', 'self_service' => 'default' This is the source: bless( { 'cache_match' => '0', 'realms' => [], 'read_timeout' => '10', 'basedn' => 'DC=ad,DC=domain,DC=ca', 'monitor' => '1', 'rules' => [ bless( { 'cache_key' => 'memberOf,equals,CN=NETWORKS,OU=Users,OU=Secured Groups,OU=NAC,OU=Protected Groups,OU=Admin,DC=ad DC=domain,DC=ca', 'actions' => [ bless( { 'value' => 'SSLVPN-NetAdmin', 'type' => 'set_role', 'class' => 'authentication' }, 'pf::Authentication::Action' ), bless( { 'value' => '1D', 'type' => 'set_access_duration', 'class' => 'authentication' }, 'pf::Authentication::Action' ) ], 'status' => 'enabled', 'match' => 'all', 'description' => 'SSLVPN NetAdmin group', 'class' => 'authentication', 'id' => 'SSLVPN-NetAdmin', 'conditions' => [ bless( { 'operator' => 'equals', 'attribute' => 'memberOf', 'value' => 'CN=NETWORKS,OU=Users,OU=Secured Groups,OU=NAC,OU=Protected Groups,OU=Admin,DC=ad DC=domain,DC=ca' }, 'pf::Authentication::Condition' ) ] }, 'pf::Authentication::Rule' ) ], 'password' => 'h2M6z!A^z#kA3kHLG^XrQL6M9UcMos', 'dynamic_routing_module' => 'AuthModule', 'shuffle' => '1', 'searchattributes' => [ 'sAMAccountName' ], 'id' => 'Domain-SSLVPN', 'scope' => 'sub', 'unique' => 0, 'email_attribute' => 'mail', 'usernameattribute' => 'sAMAccountName', 'dead_duration' => '60', 'connection_timeout' => '1', 'binddn' => 'CN=PacketFence Authentication,OU=Service Accounts,OU=Admin,DC=ad,DC=domain,DC=ca', 'encryption' => 'ssl', 'description' => 'Domain - People Authentication - SSLVPN', 'port' => '636', 'host' => [ 'ad1.ad.domain.ca<http://ad1.ad.domain.ca>', 'ad2.ad.domain.ca<http://ad2.ad.domain.ca>', 'ad3.ad.domain.ca<http://ad3.ad.domain.ca>' ], 'write_timeout' => '5', 'type' => 'AD', 'class' => 'internal' }, 'pf::Authentication::Source::ADSource' ), Here is the Switch group and switch: [172.18.1.90] description=TEST VPN with FG90E group=VPN-Server radiusSecret=testVPN SSLVPN-NetAdminRole=SSLVPN-NetAdmin SSLVPN-NetAdminVlan=999 RoleMap=Y VlanMap=N [group VPN-Server] description=VPN Authentication VoIPDHCPDetect=N cliAccess=Y type=Fortinet::FortiGate VlanMap=N SSLVPN-NetAdminRole=SSLVPN-NetAdmin RoleMap=Y radiusSecret=testVPN Here is the Radius-Filter: [SSLVPN-NetAdmin] status=enabled top_op=and description=test sslvpn scopes=returnRadiusAccessAccept merge_answer=yes condition=switch._ip == "172.18.1.90" && switch._roles == "SSLVPN-NetAdmin" answer.0=reply:Fortinet-Group-Name = VPN-ITS-NetServ But, it doesn’t seem to hit the Radius-Filter. Cheers, Chris _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
