Hi all,
We are planning to use PF to replace our current ACS server to achieve some
custom health check during device first logon. I have achieved our basic
functions in our PoC environment such as 802.1x auth with AD
integration??assign specific role to specific group??trigger a violation to
specific devices??write VLAN filter rules to filter mobile devices and then no
need do the health check to mobiles. But we still have some issues which I'm
not sure if it's PF's bugs or my mis-configuration. Pls help.
Our operation mechanism is: We need to ensure all users install our endpoint
agent in their computer devices. So firstly we get all the devices' mac address
from our agent server, and insert these devices' mac with employees' role to
pf.node table. These devices will be automatically registered per node info.
And we use 802.1x auth without checking auto-register.
This way the users who has installed our endpoint agent will first pass 802.1x
auth and then get a role previously assigned to his device, and the users who
didn't install agent will be put into registration role after 802.1x auth. And
we want to redirect user to see specific web page showing them how to install.
Currently we use message.html module to achieve this function.
The question is:
1.When we trigger an "reevaluate access" action(using syslog parser or directly
click the button from node view), pf works well for an online device(registered
status device) to disconnect. But we can't complete this action during
registration duration.
After user pass 802.1x auth, we can successfully redirect url to message.html.
Then we successfully change the device's role from registration to employees.
When we trigger reevaluate access function, PF always logged "Unable to perform
RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause:
Session-Context-Not-Found. (pf::Switch::Aruba::radiusDisconnect)" and the
device is still in online status with registration IP. And we got session
missing error in Aruba debug log.
I guess this failure is because of the wrong acct-session-id PF get from
radacct_log. I didn't see any accounting log sent from AC during registration
period. We tried to use radclient command to send the radius disconnect
request, with acct-session-id we'll also get this error while without
acct-session-id we can successfully disconnect the device.
2. I created a connection file with 802.1x auth with AD as the authentication
source.When I connect to our ssid using my iphone, I have to fill the full
username with domain realm (for example "axin.com\test01"), otherwise pf will
match the default NULL realm and then just use local auth.
I tried to change NULL realm setting to direct it all to my AD. This action
seems work but we'll have multiple domains in real production network. At that
time how to make it work ? PF should find the correct realm by itself since I
have set the correct source in connection profile.
Our basic network environment:
PF IP:192.168.1.5 vlan 801
PF Registration IP: 192.168.2.1 vlan 2
PF Isolation IP: 192.168.3.1 vlan 3
Aruba AC IP:192.168.1.250 vlan 801
normal network:172.30.3.0/24 for employees role vlan 803
normal network:172.30.2.0/24 for guest role vlan 802
core switch IP:192.168.1.254 vlan 801
authentication source is our AD. PF has successfully joined domain.
Our switches.conf:
[192.168.1.250]
RoleMap=Y
mode=production
SNMPCommunityRead=*****
VlanMap=N
description=Aruba
SNMPVersionTrap=2c
cliPwd=*****
employeesRole=employees
cliTransport=SSH
SNMPCommunityTrap=*****
wsPwd=*****
SNMPCommunityWrite=*****
ExternalPortalEnforcement=Y
cliUser=admin
defaultRole=isolation
deauthMethod=RADIUS
type=Aruba
radiusSecret=*****
SNMPVersion=2c
guestRole=guest
cliEnablePwd=*****
wsUser=admin
violationRole=violation
cliAccess=Y
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
