Menu
▾
▴
Re: [PacketFence-users] PF 9.3.0 and connection profiles and recomputing of roles - not working
|
From: Durand f. <fd...@in...> - 2020-02-18 01:29:02
|
Try with a simple filter, just like the ssid only and assign the source on this profile. Then share the packetfence.log. Regards Fabrice Le 20-02-14 à 08 h 01, Nadim El-Khoury a écrit : > Hi Fabrice, > > Unfortunately, it is the same behavior. This time the owner is > recognized but the profile is not getting set. > > Best, > > Nadim > > On Wed, Feb 12, 2020 at 8:54 PM Nadim El-Khoury > <nel...@sp... <mailto:nel...@sp...>> wrote: > > Hi Fabrice, > > Thank you for looking into this. > I am attaching two screenshots where the GUI shows that the source > is selected but it does not show up in the profiles.conf file. > I will manually make the change in the file and report back to you. > > Best, > > Nadim > > > On Wed, Feb 12, 2020 at 8:46 PM Durand fabrice <fd...@in... > <mailto:fd...@in...>> wrote: > > Hello Nadim, > > there is no source associate to the sc-eduroam-profile > profile, try that: > > # > # Copyright (C) 2005-2019 Inverse inc. > # > # See the enclosed file COPYING for license information (GPL). > # If you did not receive this file, see > # http://www.fsf.org/licensing/licenses/gpl.html > [default] > autoregister=enabled > sources=MSAD > > [sc-eduroam-profile] > filter_match_style=all > locale= > description=Springfield College local eduroam connections > filter=ssid:eduroam > sources=MSAD > > [incoming-eduroam-connections] > locale= > sources=US-Eduroam-Servers > filter=realm:eduroam > description=Incoming Eduroam Connections > # > # Copyright (C) 2005-2019 Inverse inc. > # > # See the enclosed file COPYING for license information (GPL). > # If you did not receive this file, see > # http://www.fsf.org/licensing/licenses/gpl.html > > let me know if it's ok now. > > Regards > > Fabrice > > Le 20-02-12 à 08 h 11, Nadim El-Khoury a écrit : >> Hi Fabrice, >> >> Please note that I sanitized the authentication.conf file and >> removed the shared Radius key and the password to connect to >> our MS LDAP. Everything else is intact. >> >> Thank you very much for all your help and for looking at this >> issue. >> >> Best, >> >> Nadim >> >> On Tue, Feb 11, 2020 at 9:02 PM Durand fabrice >> <fd...@in... <mailto:fd...@in...>> wrote: >> >> It's still the same in the logs. >> >> Can you share your prifiles.conf and authentication.conf >> file ? >> >> Regards >> >> Fabrice >> >> >> Le 20-02-11 à 12 h 02, Nadim El-Khoury a écrit : >>> Hi Fabrice, >>> >>> I am sorry to report that nothing works. I am still >>> seeing the same behavior. >>> I deleted all the connection profiles and just left the >>> default one and still nothing. >>> >>> I am attaching the packetfence.log file. >>> >>> Best, >>> >>> Nadim >>> >>> On Tue, Feb 11, 2020 at 8:31 AM Fabrice Durand >>> <fd...@in... <mailto:fd...@in...>> wrote: >>> >>> Ok so assign the default realm in the authentication >>> source and/or the realm springfieldcollege.edu >>> <http://springfieldcollege.edu>. >>> >>> Le 20-02-10 à 22 h 42, Nadim El-Khoury a écrit : >>>> Hi Fabrice, >>>> >>>> I want to thank you for taking the time to look >>>> into the log file. >>>> Yes, we have AD configured as an authentication >>>> source. I added it to the source in the connection >>>> profile and will test it in the morning and report >>>> back. >>>> >>>> Best, >>>> >>>> Nadim >>>> >>>> On Mon, Feb 10, 2020 at 8:31 PM Durand fabrice >>>> <fd...@in... <mailto:fd...@in...>> wrote: >>>> >>>> Hello Nadim, >>>> >>>> here what happen: >>>> >>>> Feb 10 13:15:08 fennec packetfence_httpd.aaa: >>>> httpd.aaa(15955) INFO: [mac:a4:e9:75:4e:95:5d] >>>> handling radius autz request: from switch_ip => >>>> (10.2.75.11), connection_type => >>>> Wireless-802.11-EAP,switch_mac => >>>> (5c:5b:35:a8:10:33), mac => >>>> [a4:e9:75:4e:95:5d], port => 0, username => >>>> "nel...@sp..." >>>> <mailto:nel...@sp...>, >>>> ssid => eduroam (pf::radius::authorize) >>>> Feb 10 13:15:08 fennec packetfence_httpd.aaa: >>>> httpd.aaa(15955) INFO: [mac:a4:e9:75:4e:95:5d] >>>> Instantiate profile non-sc-eduroam-users >>>> (pf::Connection::ProfileFactory::_from_profile) >>>> Feb 10 13:15:08 fennec packetfence_httpd.aaa: >>>> httpd.aaa(15955) INFO: [mac:a4:e9:75:4e:95:5d] >>>> Found authentication source(s) : '' for realm >>>> 'springfieldcollege.edu >>>> <http://springfieldcollege.edu>' >>>> (pf::config::util::filter_authentication_sources) >>>> Feb 10 13:15:08 fennec packetfence_httpd.aaa: >>>> httpd.aaa(15955) WARN: [mac:a4:e9:75:4e:95:5d] >>>> No category computed for autoreg >>>> (pf::role::getNodeInfoForAutoReg) >>>> Feb 10 13:15:08 fennec packetfence_httpd.aaa: >>>> httpd.aaa(15955) WARN: [mac:a4:e9:75:4e:95:5d] >>>> Switch type 'pf::Switch::Generic' does not >>>> support MABFloatingDevices >>>> (pf::SwitchSupports::__ANON__) >>>> Feb 10 13:15:08 fennec packetfence_httpd.aaa: >>>> httpd.aaa(15955) INFO: [mac:a4:e9:75:4e:95:5d] >>>> Found authentication source(s) : '' for realm >>>> 'springfieldcollege.edu >>>> <http://springfieldcollege.edu>' >>>> (pf::config::util::filter_authentication_sources) >>>> >>>> PacketFence instantiate the profile >>>> non-sc-eduroam-users but is not able to find >>>> any sources to compute the rules. >>>> >>>> My assumption is that you enabled auto >>>> registration on the connection profile but you >>>> didn't defined any sources. >>>> >>>> So edit the connection profile and assign an >>>> authentication source on it (you probably have >>>> an AD one). >>>> >>>> Regards >>>> >>>> Fabrice >>>> >>>> >>>> Le 20-02-10 à 14 h 34, Nadim El-Khoury a écrit : >>>>> Hi Fabrice, >>>>> >>>>> Please find attached the packetfence.log file. >>>>> The username is >>>>> nel...@sp... >>>>> <mailto:nel...@sp...> >>>>> >>>>> Best, >>>>> >>>>> Nadim >>>>> >>>>> On Fri, Feb 7, 2020 at 10:09 PM Durand fabrice >>>>> via PacketFence-users >>>>> <pac...@li... >>>>> <mailto:pac...@li...>> >>>>> wrote: >>>>> >>>>> Hello Nadim >>>>> >>>>> Le 20-02-05 à 02 h 19, Nadim El-Khoury via >>>>> PacketFence-users a écrit : >>>>>> Hi Everyone, >>>>>> >>>>>> It does not look like that PF 9.3.0 is >>>>>> able to assign the right connection >>>>>> profile once a user is authenticated. >>>>>> >>>>>> Question 1) Why is the right connection >>>>>> profile not being picked up based on the >>>>>> created filter? >>>>> probably a wrong filter >>>>>> Question 2) Can the default connection >>>>>> profile be disabled? >>>>> no >>>>>> Question 3) Why is the system not >>>>>> entering the right owner for the >>>>>> registered device after successful >>>>>> authentication? >>>>> No profile , so no source, so no user. >>>>>> Question 4) Why is the connection profile >>>>>> is set to N/A when it does not properly >>>>>> match a profile? >>>>> because packetfence is not able to compute >>>>> the connection profile. >>>>>> >>>>>> When running the /usr/local/pf/bin/pftest >>>>>> authentication username "" >>>>>> The command returns the right AD group >>>>>> the user is part of. >>>>>> >>>>>> Recomputing of roles does not seem to be >>>>>> working if a device is successfully >>>>>> registered with another user or owner. >>>>>> So, if a new user uses the same device >>>>>> the role is not recomputed and the new >>>>>> user using the same old registered device >>>>>> ends up with the same previous role as >>>>>> the previous user. >>>>>> >>>>>> Question 1) How can we change the above >>>>>> behavior? >>>>>> >>>>> share your packetfence.log file when the >>>>> device connect and we will have the answer. >>>>> >>>>> Regards >>>>> >>>>> Fabrice >>>>> >>>>> >>>>>> Your help is very much appreciated. >>>>>> >>>>>> Best, >>>>>> >>>>>> Nadim >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> Pac...@li... <mailto:Pac...@li...> >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> Pac...@li... >>>>> <mailto:Pac...@li...> >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>> >>> -- >>> Fabrice Durand >>> fd...@in... <mailto:fd...@in...> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) >>> |
