Re: [PacketFence-users] FortiGate VPN Auth based on AD Group Membership
Thank you for the reply. Is this something that we may be able to expect for PacketFence 11? Or for a much further release? Is this functionality that I can implement using radius filters? Or is there another switch type (PacketFence::Default as example) that I could use in conjunction with a radius filter to accomplish the task in the interim? And furthermore, I don’t see a specific GitHub issue for this, do you want me to open one? I have not tried it, but, I assume I’ll have the same problem with CLI Switch access on Nortel/Avaya/Extreme switches? Thanks so much! Get Outlook for iOS<https://aka.ms/o0ukef> From: Fabrice Durand Sent: Tuesday, May 11, 2021 11:03:37 PM To: packetfence-users@lists.sourceforge.net Cc: Chris Crawford Subject: Re: [PacketFence-users] FortiGate VPN Auth based on AD Group Membership ✉External message: Use caution. Hello Chris, First we don't compute the role from the source for Fortigate, we just do a mschap verification then if it's authenticated then we allow the access. It misses a little bit of code to do that but it's not something really complicated. Next the condition in the radius filter you should try: condition=switch._ip == "172.18.1.90" && connection_type == "VPN-Access" Btw i will have to work on the VPN code soon so i will add the logic to compute the role of the user to return the radius attribute Fortinet-Group-Name Regards Fabrice Le mar. 11 mai 2021 à 09:55, Chris Crawford via PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> a écrit : Good morning, I’m looking to assign a user a role, based on their membership in AD and have that returned to the FortiGate to allow the user to connect to the VPN. User login comes in from the VPN. The User Authenticates. User-Name = "chris" NAS-IP-Address = 10.10.20.10 Called-Station-Id = "10.10.20.10" Calling-Station-Id = "10.10.10.10" NAS-Identifier = "FortiGate" Proxy-State = 0x313631 NAS-Port-Type = Virtual Acct-Session-Id = "46906026" Event-Timestamp = "May 11 2021 10:23:26 ADT" Connect-Info = "vpn-ssl" Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044 Fortinet-Vdom-Name = "root" MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b MS-CHAP2-Response = 0x7e00806b361b428955e2c7df110c101a8be450fe07df152cd08c0445ee178820959c7bb361acf054930c Stripped-User-Name = "chris" Realm = "null" FreeRADIUS-Client-IP-Address = packetfenceVIP PacketFence-Domain = "DOMAIN" PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39" PacketFence-Radius-Ip = "packetfence1" PacketFence-NTLMv2-Only = "--allow-mschapv2" User-Password = "**" SQL-User-Name = "chris" RADIUS Reply MS-CHAP2-Success = 0x7e533d454642323841433243304643323339413633424430303635354336354243423341423039 Proxy-State = 0x313631 I have a connection profile that it’s supposed to flow though: 'SSLVPN-90e-Test' => { 'billing_tiers' => [], 'filter_match_style' => 'all', 'preregistration' => 'disabled', 'sms_pin_retry_limit' => '0', 'unbound_dpsk' => 'disabled', 'locale' => [], 'vlan_pool_technique' => 'username_hash', 'always_use_redirecturl' => 'disabled', 'login_attempt_limit' => '0', 'template_paths' => [ '/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test', '/usr/local/pf/html/captive-portal/profile-templates/default', '/usr/local/pf/html/captive-portal/templates' ], 'guest_modes' => '', 'description' => 'SSLVPN', 'network_logoff_popup' => 'disabled', 'reuse_dot1x_credentials' => '0',
Re: [PacketFence-users] FortiGate VPN Auth based on AD Group Membership
Hello Chris, First we don't compute the role from the source for Fortigate, we just do a mschap verification then if it's authenticated then we allow the access. It misses a little bit of code to do that but it's not something really complicated. Next the condition in the radius filter you should try: condition=switch._ip == "172.18.1.90" && connection_type == "VPN-Access" Btw i will have to work on the VPN code soon so i will add the logic to compute the role of the user to return the radius attribute Fortinet-Group-Name Regards Fabrice Le mar. 11 mai 2021 à 09:55, Chris Crawford via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Good morning, > > > > I’m looking to assign a user a role, based on their membership in AD and > have that returned to the FortiGate to allow the user to connect to the VPN. > > > > User login comes in from the VPN. The User Authenticates. > > User-Name = "chris" > > NAS-IP-Address = 10.10.20.10 > > Called-Station-Id = "10.10.20.10" > > Calling-Station-Id = "10.10.10.10" > > NAS-Identifier = "FortiGate" > > Proxy-State = 0x313631 > > NAS-Port-Type = Virtual > > Acct-Session-Id = "46906026" > > Event-Timestamp = "May 11 2021 10:23:26 ADT" > > Connect-Info = "vpn-ssl" > > Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044 > > Fortinet-Vdom-Name = "root" > > MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b > > MS-CHAP2-Response = > 0x7e00806b361b428955e2c7df110c101a8be450fe07df152cd08c0445ee178820959c7bb361acf054930c > > Stripped-User-Name = "chris" > > Realm = "null" > > FreeRADIUS-Client-IP-Address = packetfenceVIP > > PacketFence-Domain = "DOMAIN" > > PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39" > > PacketFence-Radius-Ip = "packetfence1" > > PacketFence-NTLMv2-Only = "--allow-mschapv2" > > User-Password = "**" > > SQL-User-Name = "chris" > > > > RADIUS Reply > > MS-CHAP2-Success = > 0x7e533d454642323841433243304643323339413633424430303635354336354243423341423039 > > Proxy-State = 0x313631 > > > > I have a connection profile that it’s supposed to flow though: > > 'SSLVPN-90e-Test' => { > > 'billing_tiers' => [], > > 'filter_match_style' => 'all', > > 'preregistration' => 'disabled', > > 'sms_pin_retry_limit' => '0', > > 'unbound_dpsk' => 'disabled', > > 'locale' => [], > > 'vlan_pool_technique' => 'username_hash', > > 'always_use_redirecturl' => 'disabled', > > 'login_attempt_limit' => '0', > > 'template_paths' => [ > > > '/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test', > > > '/usr/local/pf/html/captive-portal/profile-templates/default', > > > '/usr/local/pf/html/captive-portal/templates' > > > ], > > 'guest_modes' => '', > > 'description' => 'SSLVPN', > > 'network_logoff_popup' => 'disabled', > > 'reuse_dot1x_credentials' => '0', > > 'sources' => [ > > > 'DOMAIN-SSLVPN' > > > ], > > 'access_registration_when_registered' => > 'disabled', > > 'block_interval' => 600, > > 'advanced_filter' => '', > > 'provisioners' => [], > > 'dot1x_recompute_role_from_portal' => > 'enabled', > > 'dot1x_unset_on_unmatch' => 'disabled', > > 'status' => 'enabled', > > 'unreg_on_acct_stop' => 'disabled', > > 'root_module' => 'default_policy', > > 'sms_request_limit' => '0', > > 'network_logoff' => 'disabled', > > 'dpsk' => 'disabled', > > 'filter' => [ > > > 'tenant:1', > > > 'switch_group:VPN-Server' > > > ], > > 'mac_auth_recompute_role_from_portal' => > 'disabled', > > 'autoregister' => 'disabled', > > 'scans' => [], > > 'redirecturl' => ' > http://www.packetfence.org/', > > 'logo' => '/common/packetfence-cp.png', > > 'self_service' => 'default' > > > > > > This is the source: > > bless( { > > 'cache_match' => '0', > > 'realms' => [], > > 'read_timeout' => '10', > > 'basedn' => 'DC=ad,DC=domain,DC=ca', > > 'monitor' => '1', > > 'rules' => [ > > bless( { > > '
[PacketFence-users] FortiGate VPN Auth based on AD Group Membership
Good morning, I'm looking to assign a user a role, based on their membership in AD and have that returned to the FortiGate to allow the user to connect to the VPN. User login comes in from the VPN. The User Authenticates. User-Name = "chris" NAS-IP-Address = 10.10.20.10 Called-Station-Id = "10.10.20.10" Calling-Station-Id = "10.10.10.10" NAS-Identifier = "FortiGate" Proxy-State = 0x313631 NAS-Port-Type = Virtual Acct-Session-Id = "46906026" Event-Timestamp = "May 11 2021 10:23:26 ADT" Connect-Info = "vpn-ssl" Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044 Fortinet-Vdom-Name = "root" MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b MS-CHAP2-Response = 0x7e00806b361b428955e2c7df110c101a8be450fe07df152cd08c0445ee178820959c7bb361acf054930c Stripped-User-Name = "chris" Realm = "null" FreeRADIUS-Client-IP-Address = packetfenceVIP PacketFence-Domain = "DOMAIN" PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39" PacketFence-Radius-Ip = "packetfence1" PacketFence-NTLMv2-Only = "--allow-mschapv2" User-Password = "**" SQL-User-Name = "chris" RADIUS Reply MS-CHAP2-Success = 0x7e533d454642323841433243304643323339413633424430303635354336354243423341423039 Proxy-State = 0x313631 I have a connection profile that it's supposed to flow though: 'SSLVPN-90e-Test' => { 'billing_tiers' => [], 'filter_match_style' => 'all', 'preregistration' => 'disabled', 'sms_pin_retry_limit' => '0', 'unbound_dpsk' => 'disabled', 'locale' => [], 'vlan_pool_technique' => 'username_hash', 'always_use_redirecturl' => 'disabled', 'login_attempt_limit' => '0', 'template_paths' => [ '/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test', '/usr/local/pf/html/captive-portal/profile-templates/default', '/usr/local/pf/html/captive-portal/templates' ], 'guest_modes' => '', 'description' => 'SSLVPN', 'network_logoff_popup' => 'disabled', 'reuse_dot1x_credentials' => '0', 'sources' => [ 'DOMAIN-SSLVPN' ], 'access_registration_when_registered' => 'disabled', 'block_interval' => 600, 'advanced_filter' => '', 'provisioners' => [], 'dot1x_recompute_role_from_portal' => 'enabled', 'dot1x_unset_on_unmatch' => 'disabled', 'status' => 'enabled', 'unreg_on_acct_stop' => 'disabled', 'root_module' => 'default_policy', 'sms_request_limit' => '0', 'network_logoff' => 'disabled', 'dpsk' => 'disabled', 'filter' => [ 'tenant:1', 'switch_group:VPN-Server' ], 'mac_auth_recompute_role_from_portal' => 'disabled', 'autoregister' => 'disabled', 'scans' => [], 'redirecturl' => 'http://www.packetfence.org/', 'logo' => '/common/packetfence-cp.png', 'self_service' => 'default' This is the source: bless( { 'cache_match' => '0', 'realms' => [], 'read_timeout' => '10', 'basedn' => 'DC=ad,DC=domain,DC=ca', 'monitor' => '1', 'rules' => [ bless( { 'cache_key' => 'memberOf,equals,CN=NETWORKS,OU=Users,OU=Secured Groups,OU=NAC,OU=Protected Groups,OU=Admin,DC=ad DC=domain,DC=ca', 'actions' => [