subject:"Re\: \[PacketFence\-users\] FortiGate VPN Auth based on AD Group Membership"

Re: [PacketFence-users] FortiGate VPN Auth based on AD Group Membership

2021-05-12 Thread Chris Crawford via PacketFence-users

Thank you for the reply.

Is this something that we may be able to expect for PacketFence 11? Or for a 
much further release?

Is this functionality that I can implement using radius filters? Or is there 
another switch type (PacketFence::Default as example) that I could use in 
conjunction with a radius filter to accomplish the task in the interim?

And furthermore, I don’t see a specific GitHub issue for this, do you want me 
to open one?

I have not tried it, but, I assume I’ll have the same problem with CLI Switch 
access on Nortel/Avaya/Extreme switches?

Thanks so much!

Get Outlook for iOS<https://aka.ms/o0ukef>

From: Fabrice Durand 
Sent: Tuesday, May 11, 2021 11:03:37 PM
To: packetfence-users@lists.sourceforge.net 

Cc: Chris Crawford 
Subject: Re: [PacketFence-users] FortiGate VPN Auth based on AD Group Membership


✉External message: Use caution.
Hello Chris,

First we don't compute the role from the source for Fortigate, we just do a 
mschap verification then if it's authenticated then we allow the access.
It misses a little bit of code to do that but it's not something really 
complicated.

Next the condition in the radius filter you should try:
condition=switch._ip == "172.18.1.90" && connection_type == "VPN-Access"

Btw i will have to work on the VPN code soon so i will add the logic to compute 
the role of the user to return the radius attribute Fortinet-Group-Name

Regards
Fabrice


Le mar. 11 mai 2021 à 09:55, Chris Crawford via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 a écrit :

Good morning,



I’m looking to assign a user a role, based on their membership in AD and have 
that returned to the FortiGate to allow the user to connect to the VPN.



User login comes in from the VPN. The User Authenticates.

User-Name = "chris"

NAS-IP-Address = 10.10.20.10

Called-Station-Id = "10.10.20.10"

Calling-Station-Id = "10.10.10.10"

NAS-Identifier = "FortiGate"

Proxy-State = 0x313631

NAS-Port-Type = Virtual

Acct-Session-Id = "46906026"

Event-Timestamp = "May 11 2021 10:23:26 ADT"

Connect-Info = "vpn-ssl"

Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044

Fortinet-Vdom-Name = "root"

MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b

MS-CHAP2-Response = 
0x7e00806b361b428955e2c7df110c101a8be450fe07df152cd08c0445ee178820959c7bb361acf054930c

Stripped-User-Name = "chris"

Realm = "null"

FreeRADIUS-Client-IP-Address = packetfenceVIP

PacketFence-Domain = "DOMAIN"

PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39"

PacketFence-Radius-Ip = "packetfence1"

PacketFence-NTLMv2-Only = "--allow-mschapv2"

User-Password = "**"

SQL-User-Name = "chris"



RADIUS Reply

MS-CHAP2-Success = 
0x7e533d454642323841433243304643323339413633424430303635354336354243423341423039

Proxy-State = 0x313631



I have a connection profile that it’s supposed to flow though:

'SSLVPN-90e-Test' => {

'billing_tiers' => [],

'filter_match_style' => 'all',

'preregistration' => 'disabled',

'sms_pin_retry_limit' => '0',

'unbound_dpsk' => 'disabled',

'locale' => [],

'vlan_pool_technique' => 'username_hash',

'always_use_redirecturl' => 'disabled',

'login_attempt_limit' => '0',

'template_paths' => [



'/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test',



'/usr/local/pf/html/captive-portal/profile-templates/default',


'/usr/local/pf/html/captive-portal/templates'


],

'guest_modes' => '',

'description' => 'SSLVPN',

'network_logoff_popup' => 'disabled',

'reuse_dot1x_credentials' => '0',

'sources' => [


'DOMAIN-SSLVPN'


],

'access_registration_when_registered' => 
'disabled',

Re: [PacketFence-users] FortiGate VPN Auth based on AD Group Membership

2021-05-11 Thread Fabrice Durand via PacketFence-users

Hello Chris,

First we don't compute the role from the source for Fortigate, we just do a
mschap verification then if it's authenticated then we allow the access.
It misses a little bit of code to do that but it's not something really
complicated.

Next the condition in the radius filter you should try:
condition=switch._ip == "172.18.1.90" && connection_type == "VPN-Access"

Btw i will have to work on the VPN code soon so i will add the logic to
compute the role of the user to return the radius attribute
Fortinet-Group-Name

Regards
Fabrice


Le mar. 11 mai 2021 à 09:55, Chris Crawford via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Good morning,
>
>
>
> I’m looking to assign a user a role, based on their membership in AD and
> have that returned to the FortiGate to allow the user to connect to the VPN.
>
>
>
> User login comes in from the VPN. The User Authenticates.
>
> User-Name = "chris"
>
> NAS-IP-Address = 10.10.20.10
>
> Called-Station-Id = "10.10.20.10"
>
> Calling-Station-Id = "10.10.10.10"
>
> NAS-Identifier = "FortiGate"
>
> Proxy-State = 0x313631
>
> NAS-Port-Type = Virtual
>
> Acct-Session-Id = "46906026"
>
> Event-Timestamp = "May 11 2021 10:23:26 ADT"
>
> Connect-Info = "vpn-ssl"
>
> Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044
>
> Fortinet-Vdom-Name = "root"
>
> MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b
>
> MS-CHAP2-Response =
> 0x7e00806b361b428955e2c7df110c101a8be450fe07df152cd08c0445ee178820959c7bb361acf054930c
>
> Stripped-User-Name = "chris"
>
> Realm = "null"
>
> FreeRADIUS-Client-IP-Address = packetfenceVIP
>
> PacketFence-Domain = "DOMAIN"
>
> PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39"
>
> PacketFence-Radius-Ip = "packetfence1"
>
> PacketFence-NTLMv2-Only = "--allow-mschapv2"
>
> User-Password = "**"
>
> SQL-User-Name = "chris"
>
>
>
> RADIUS Reply
>
> MS-CHAP2-Success =
> 0x7e533d454642323841433243304643323339413633424430303635354336354243423341423039
>
> Proxy-State = 0x313631
>
>
>
> I have a connection profile that it’s supposed to flow though:
>
> 'SSLVPN-90e-Test' => {
>
> 'billing_tiers' => [],
>
> 'filter_match_style' => 'all',
>
> 'preregistration' => 'disabled',
>
> 'sms_pin_retry_limit' => '0',
>
> 'unbound_dpsk' => 'disabled',
>
> 'locale' => [],
>
> 'vlan_pool_technique' => 'username_hash',
>
> 'always_use_redirecturl' => 'disabled',
>
> 'login_attempt_limit' => '0',
>
> 'template_paths' => [
>
>
> '/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test',
>
>
> '/usr/local/pf/html/captive-portal/profile-templates/default',
>
>
> '/usr/local/pf/html/captive-portal/templates'
>
>
> ],
>
> 'guest_modes' => '',
>
> 'description' => 'SSLVPN',
>
> 'network_logoff_popup' => 'disabled',
>
> 'reuse_dot1x_credentials' => '0',
>
> 'sources' => [
>
>
> 'DOMAIN-SSLVPN'
>
>
> ],
>
> 'access_registration_when_registered' =>
> 'disabled',
>
> 'block_interval' => 600,
>
> 'advanced_filter' => '',
>
> 'provisioners' => [],
>
> 'dot1x_recompute_role_from_portal' =>
> 'enabled',
>
> 'dot1x_unset_on_unmatch' => 'disabled',
>
> 'status' => 'enabled',
>
> 'unreg_on_acct_stop' => 'disabled',
>
> 'root_module' => 'default_policy',
>
> 'sms_request_limit' => '0',
>
> 'network_logoff' => 'disabled',
>
> 'dpsk' => 'disabled',
>
> 'filter' => [
>
>
> 'tenant:1',
>
>
> 'switch_group:VPN-Server'
>
>
> ],
>
> 'mac_auth_recompute_role_from_portal' =>
> 'disabled',
>
> 'autoregister' => 'disabled',
>
> 'scans' => [],
>
> 'redirecturl' => '
> http://www.packetfence.org/',
>
> 'logo' => '/common/packetfence-cp.png',
>
> 'self_service' => 'default'
>
>
>
>
>
> This is the source:
>
> bless( {
>
> 'cache_match' => '0',
>
> 'realms' => [],
>
> 'read_timeout' => '10',
>
> 'basedn' => 'DC=ad,DC=domain,DC=ca',
>
> 'monitor' => '1',
>
> 'rules' => [
>
> bless( {
>
>

Re: [PacketFence-users] FortiGate VPN Auth based on AD Group Membership

Re: [PacketFence-users] FortiGate VPN Auth based on AD Group Membership

2 matches

Site Navigation

Mail list logo

Footer information