Hello Chris,
First we don't compute the role from the source for Fortigate, we just do a
mschap verification then if it's authenticated then we allow the access.
It misses a little bit of code to do that but it's not something really
complicated.
Next the condition in the radius filter you should try:
condition=switch._ip == "172.18.1.90" && connection_type == "VPN-Access"
Btw i will have to work on the VPN code soon so i will add the logic to
compute the role of the user to return the radius attribute
Fortinet-Group-Name
Regards
Fabrice
Le mar. 11 mai 2021 à 09:55, Chris Crawford via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :
> Good morning,
>
>
>
> I’m looking to assign a user a role, based on their membership in AD and
> have that returned to the FortiGate to allow the user to connect to the VPN.
>
>
>
> User login comes in from the VPN. The User Authenticates.
>
> User-Name = "chris"
>
> NAS-IP-Address = 10.10.20.10
>
> Called-Station-Id = "10.10.20.10"
>
> Calling-Station-Id = "10.10.10.10"
>
> NAS-Identifier = "FortiGate"
>
> Proxy-State = 0x313631
>
> NAS-Port-Type = Virtual
>
> Acct-Session-Id = "46906026"
>
> Event-Timestamp = "May 11 2021 10:23:26 ADT"
>
> Connect-Info = "vpn-ssl"
>
> Message-Authenticator = 0xcc6237fa515961d575f802b4a0908044
>
> Fortinet-Vdom-Name = "root"
>
> MS-CHAP-Challenge = 0x92ae68a2ac66124ad164042f4f38c45b
>
> MS-CHAP2-Response =
> 0x7e00806b361b428955e2c7df110c101a8be450fe07df152cd08c0445ee178820959c7bb361acf054930c
>
> Stripped-User-Name = "chris"
>
> Realm = "null"
>
> FreeRADIUS-Client-IP-Address = packetfenceVIP
>
> PacketFence-Domain = "DOMAIN"
>
> PacketFence-KeyBalanced = "2276c8900707b1d83ae8bfcaa3008c39"
>
> PacketFence-Radius-Ip = "packetfence1"
>
> PacketFence-NTLMv2-Only = "--allow-mschapv2"
>
> User-Password = "**"
>
> SQL-User-Name = "chris"
>
>
>
> RADIUS Reply
>
> MS-CHAP2-Success =
> 0x7e533d454642323841433243304643323339413633424430303635354336354243423341423039
>
> Proxy-State = 0x313631
>
>
>
> I have a connection profile that it’s supposed to flow though:
>
> 'SSLVPN-90e-Test' => {
>
> 'billing_tiers' => [],
>
> 'filter_match_style' => 'all',
>
> 'preregistration' => 'disabled',
>
> 'sms_pin_retry_limit' => '0',
>
> 'unbound_dpsk' => 'disabled',
>
> 'locale' => [],
>
> 'vlan_pool_technique' => 'username_hash',
>
> 'always_use_redirecturl' => 'disabled',
>
> 'login_attempt_limit' => '0',
>
> 'template_paths' => [
>
>
> '/usr/local/pf/html/captive-portal/profile-templates/SSLVPN-90e-Test',
>
>
> '/usr/local/pf/html/captive-portal/profile-templates/default',
>
>
> '/usr/local/pf/html/captive-portal/templates'
>
>
> ],
>
> 'guest_modes' => '',
>
> 'description' => 'SSLVPN',
>
> 'network_logoff_popup' => 'disabled',
>
> 'reuse_dot1x_credentials' => '0',
>
> 'sources' => [
>
>
> 'DOMAIN-SSLVPN'
>
>
> ],
>
> 'access_registration_when_registered' =>
> 'disabled',
>
> 'block_interval' => 600,
>
> 'advanced_filter' => '',
>
> 'provisioners' => [],
>
> 'dot1x_recompute_role_from_portal' =>
> 'enabled',
>
> 'dot1x_unset_on_unmatch' => 'disabled',
>
> 'status' => 'enabled',
>
> 'unreg_on_acct_stop' => 'disabled',
>
> 'root_module' => 'default_policy',
>
> 'sms_request_limit' => '0',
>
> 'network_logoff' => 'disabled',
>
> 'dpsk' => 'disabled',
>
> 'filter' => [
>
>
> 'tenant:1',
>
>
> 'switch_group:VPN-Server'
>
>
> ],
>
> 'mac_auth_recompute_role_from_portal' =>
> 'disabled',
>
> 'autoregister' => 'disabled',
>
> 'scans' => [],
>
> 'redirecturl' => '
> http://www.packetfence.org/',
>
> 'logo' => '/common/packetfence-cp.png',
>
> 'self_service' => 'default'
>
>
>
>
>
> This is the source:
>
> bless( {
>
> 'cache_match' => '0',
>
> 'realms' => [],
>
> 'read_timeout' => '10',
>
> 'basedn' => 'DC=ad,DC=domain,DC=ca',
>
> 'monitor' => '1',
>
> 'rules' => [
>
> bless( {
>
>