Menu
▾
▴
Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN & Certificates.....
|
From: John S. <js...@as...> - 2018-08-13 10:16:57
|
I think I've got it working but I haven’t tested it very thoroughly so I may be mistaken. I think there's still something I'm doing wrong. I'm using a regex match on the distinguished name still. I started testing it with group membership as I thought using the distinguished name might have been the issue but it still didn't work so I don't think that's the case. If I test it, I create a user account and have the Username Attribute in the authentication source set to sAMAccountName. This seems to work fine: Aug 13 10:01:50 pftest(18774) INFO: [Test] Authentication successful for jtest1 (pf::Authentication::Source::LDAPSource::authenticate) Aug 13 10:01:50 pftest(18774) INFO: Using sources Test for matching (pf::authentication::match) Aug 13 10:01:50 pftest(18774) INFO: Matched rule (Youth) in source Test, returning actions. (pf::Authentication::Source::match) Aug 13 10:01:50 pftest(18774) INFO: Using sources Test for matching (pf::authentication::match) The following may require more testing to confirm it's all correct and the results are consistently reproducible: When I switch to using machine authentication, I can't test using pftest with the correct password and I'm kind of guessing what to put in the username field for testing. When I have the Username Attribute set to servicePrincipalName and I test with 'host/' followed by the fqdn of the host, for example 'host/IT-L-HP250.asd.local' this works. But when I try this by connecting to the wireless network packetfence doesn't match my rule. (I was testing on Saturday so I'm not sure exactly which section of the log to pick out so I might need to try this again to get more informaiton.) So I looked in active directory at the attributes and servicePrincipalName is a multi-value field so I didn't know if this was causing an issue? So I changed the Username Attribute to 'name' (although I'm also not sure what the issue with sAMAccountName is.) Now the previous test with pftest fails so I switched to using simply the hostname 'IT-L-HP250' which again matches the rule but fails the authentication due to now knowing the password. However in this configuration when I tried connecting to the wireless it worked but I got the same errors in the log. This is the log of a successful authentication and matching the rule Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] handling radius autz request: from switch_ip => (10.16.20.102), connection_type => Wireless-802.11-EAP,switch_mac => (e8:39:35:65:87:56), mac => [80:56:f2:15:b8:a9], port => 88, username => "host/IT-L-HP250.asd.local", ssid => test (pf::radius::authorize) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] is doing machine auth with account 'host/IT-L-HP250.asd.local'. (pf::radius::authorize) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Instantiate profile 802.1x (pf::Portal::ProfileFactory::_from_profile) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Memory configuration is not valid anymore for key resource::authentication_sources in local cached_hash (pfconfig::cached::is_valid) Aug 11 11:48:56 httpd.aaa(12652) WARN: [mac:80:56:f2:15:b8:a9] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources Test for matching (pf::authentication::match) Aug 11 11:48:56 httpd.aaa(12652) ERROR: [mac:80:56:f2:15:b8:a9] Error binding 'Connection reset by peer' (pf::LDAP::bind) Aug 11 11:48:56 httpd.aaa(12652) WARN: [mac:80:56:f2:15:b8:a9] LDAP connection expired (pf::LDAP::expire_if) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule (Internal) in source Test, returning actions. (pf::Authentication::Source::match) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources Test for matching (pf::authentication::match) Aug 11 11:48:56 httpd.aaa(12652) ERROR: [mac:80:56:f2:15:b8:a9] Error binding 'Connection reset by peer' (pf::LDAP::bind) Aug 11 11:48:56 httpd.aaa(12652) WARN: [mac:80:56:f2:15:b8:a9] LDAP connection expired (pf::LDAP::expire_if) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule (Internal) in source Test, returning actions. (pf::Authentication::Source::match) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] violation 1300003 force-closed for 80:56:f2:15:b8:a9 (pf::violation::violation_force_close) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Instantiate profile 802.1x (pf::Portal::ProfileFactory::_from_profile) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources Test for matching (pf::authentication::match) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule (Internal) in source Test, returning actions. (pf::Authentication::Source::match) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Using sources Test for matching (pf::authentication::match) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Matched rule (Internal) in source Test, returning actions. (pf::Authentication::Source::match) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] Username was defined "host/IT-L-HP250.asd.local" - returning role 'RUFCInternal' (pf::role::getRegisteredRole) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] PID: "host/IT-L-HP250.asd.local", Status: reg Returned VLAN: (undefined), Role: RUFCInternal (pf::role::fetchRoleForNode) Aug 11 11:48:56 httpd.aaa(12652) INFO: [mac:80:56:f2:15:b8:a9] (10.16.20.102) Added VLAN 15 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Aug 11 11:48:57 httpd.aaa(12652) INFO: [mac:b8:03:05:a8:92:e7] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) Now the "Error binding 'Connection reset by peer' (pf::LDAP::bind)" seem fairly critical, but it still seems to be working. I've got "Use stripped username" ticked and I'm now wondering if this might be the issue? I did lots of testing changing the "Base DN" and "Scope" fields along with the rule criteria. I can't say I got consistent results. Sometimes it seemed to work, and sometimes not, but this may have been because I was making other mistakes. I've attached sanitised versions of profiles.conf and authentication.conf Thanks -----Original Message----- From: Durand fabrice via PacketFence-users [mailto:pac...@li...] Sent: 11 August 2018 02:52 To: pac...@li... Cc: Durand fabrice <fd...@in...> Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN & Certificates..... Hello John, in the packetfence.log file you will be able to see which source the username match. Also you can use pftest authentication bob "" to test the rules. If you want you can send me the authentication.conf (remove confidential data), profiles.conf file and i will probably what is the issue. Regards Fabrice Le 2018-08-09 à 08:16, John Sayce via PacketFence-users a écrit : > Sorry, I realised it's not setting the role because I was using the attribute sAMAccountName rather than servicePrincipalName. > > However I'm still not quite sure how to apply two different roles as discussed in Section 8. I've added both sources with different roles to my profile but it appears to authenticate with the first source ignoring the Base DN. > > > > -----Original Message----- > From: John Sayce via PacketFence-users > [mailto:pac...@li...] > Sent: 09 August 2018 08:02 > To: 'pac...@li...' > <pac...@li...> > Cc: John Sayce <js...@as...> > Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN & Certificates..... > > Got the certificate sorted, that was pretty straight forward when I actually follow things though. > > I am still having issues with role assignment. At the moment I've only got one role and one authentication source with a rule to apply a role without any conditions in my authentication source, but the role doesn't apply. I'm not really sure how to debug things though? > > I followed section 5.5 to create a connection profile > https://packetfence.org/doc/PacketFence_Installation_Guide.html#_confi > guring_the_connection_profile > > Ideally I'd like to do something like section 8, > https://packetfence.org/doc/PacketFence_Installation_Guide.html#_intro > duction_to_role_based_access_control > Such that there are two authentication sources with different "Base DN" and this leads to the application of two different roles. > > John > > -----Original Message----- > From: Durand fabrice via PacketFence-users > [mailto:pac...@li...] > Sent: 04 August 2018 02:19 > To: pac...@li... > Cc: Durand fabrice <fd...@in...> > Subject: Re: [PacketFence-users] 802.1x, Roles/Dynamic VLAN & Certificates..... > > Hello John, > > > Le 2018-08-03 à 11:18, John Sayce via PacketFence-users a écrit : >> Hi, >> >> I’ve setup 802.1x for my wireless. I initially started using NPS but it didn't have the flexibility I wanted for dynamic VLAN assignment. So I've setup packetfence and my clients can authenticate but they're not getting assigned the roles I'd like, to then go in the appropriate VLAN. >> >> Specifically I want to assign roles based on organisational unit. Am I correct, that the (best) way to do this is to create an active directory source for each role with a rule that then checks the distinguished name to get the organisational unit with the action to assign the appropriate role? As I say, at the moment this doesn't appear to work, but I haven't tried to debug it yet, so I might have made a silly mistake somewhere. > As i remember a dn cannot be use for a ldapsearch > (https://www.openldap.org/lists/openldap-software/200503/msg00520.html > ) > but maybe i am wrong. > The better way to test it will be to configure a rule like distingishName regex ou=blablabla and use pftest to see if the rule match. > Btw i prefer to use groupMembership for that. >> Initially I setup the client to skip verification of the server's certificate to see the radius requests coming in. Later I re-enabled the verification and added the certificates to the trusted root store but received an error about a valid trust anchor for this profile. I believe I can override this by specifying the specific certificate in group policy but I didn't really understand the error message. Ultimately I have a Microsoft PKI setup so I'd like to assign a certificate from this. The manual says I then edit the "/usr/local/pf/conf/radiusd/eap.conf" and point the relevant settings at the certificates files approved by my Microsoft PKI. Is that sufficient? And will I still get the error about a valid trust anchor? I don't believe I encountered that issue with NPS. > NPS know the microsoft pki, so by default i think there is already a certificate for it. > So you will need to generate a certificate on the pki for the radius server (https://github.com/inverse-inc/packetfence/blob/devel/docs/pki/microsoft.asciidoc#radius-certificate-generation). > > With that you will probably don't have anymore the vlaid trust anchor with the device joined to the domain but you will still have it for the rest (you need to install the CA public key on each devices). > Regards > Fabrice > >> Thanks >> John >> --------------------------------------------------------------------- >> - >> -------- Check out the vibrant tech community on one of the world's >> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> PacketFence-users mailing list >> Pac...@li... >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ---------------------------------------------------------------------- > -------- Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ---------------------------------------------------------------------- > -------- Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ---------------------------------------------------------------------- > -------- Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list Pac...@li... https://lists.sourceforge.net/lists/listinfo/packetfence-users |
