[PacketFence-users] RADIUS+Dynamic Vlan Assignment based on AD

Discussion:

rewt rewt

2014-07-17 10:58:40 UTC

Dear All,
I am currently using NAP (Windows) for dynamic VLAN assignment over
EAP/802.1x based on active directory groups.

For example:
If user john is in group "Vlan 10" he will be in the VLAN 10.

I would love to move to PacketFence! but i can't find any clear
documentation on how to suceed.

I have several questions:

- Is it possible to do that with PacketFence ?
- Is it possible to do that kind of configuration 100% from the WebUI ?
- Could you describe a quick process on how to suceed

Thank you!

Kind regards,

David R

Morris, Andi

2014-07-17 12:07:58 UTC

Permalink

Hi David,
You should be able to do this from the sources and roles sections of the Web GUI.

Create a Role for each Vlan group.
Assign the role the vlan ID within the switches section of the web GUI

Create a source for your AD server(s).
Then inside the source, create a Rule with the following logic:

If ANY of the following conditions are met:
memberOf | is member of | VLAN10
Perform the following actions:
Set role | VLAN10

Cheers,
Andi

From: rewt rewt [mailto:***@linux-elite.org]
Sent: 17 July 2014 11:59
To: packetfence-***@lists.sourceforge.net
Subject: [PacketFence-users] RADIUS+Dynamic Vlan Assignment based on AD

Dear All,
I am currently using NAP (Windows) for dynamic VLAN assignment over EAP/802.1x based on active directory groups.

For example:
If user john is in group "Vlan 10" he will be in the VLAN 10.

I would love to move to PacketFence! but i can't find any clear documentation on how to suceed.

I have several questions:

- Is it possible to do that with PacketFence ?
- Is it possible to do that kind of configuration 100% from the WebUI ?
- Could you describe a quick process on how to suceed

Thank you!

Kind regards,

David R

David R

2014-07-19 21:04:50 UTC

Permalink

Hi,

The thing i don't understand about Andi's answer is how does the
authentication process works...

So ok, everything is configured in AD (right member group for each group), on
PacketFence the link between ad group and Vlan is ok.

But what about the users authenticating thoufg 802.1x PEAP ??? how can they
authenticate ?
In my opinion something is missing, shouldn't i configure something about
Radius on Packetfence side ? what about the switch, nothing else than "aaa"
with radius config ?

Please let me know.

Kind regards,

David R

Sabrina Louison-françois

2014-08-28 06:38:01 UTC

Permalink

Hello,

I raise the subject because I want to authenticate Packetfence users
with a RADIUS (freeradius) only. I configured my radius server to send a
specific parameters "Egress-VLAN-Name" to packetfence. The role must be
given according to this value.

In packetfence 3.6 (in production) we had to modify those files to make
it work:
- /usr/local/pf/lib/pf/vlan/custom.pm : function getNormalVlan
- /usr/local/pf/conf/authentication/radius.pm: function authenticate

Do I have to do the same with the version 4 ? I would like to have a
easier method with the web interface.

Please let me know.

Regards,

**
Sabrina Louison-François
Ingénieure Réseaux et Télécoms
Direction des Systèmes d'Information
École normale supérieure de Cachan
61, avenue du Président Wilson
94235 Cachan cedex
tél : 01 47 40 74 24

Post by David R
Hi,
The thing i don't understand about Andi's answer is how does the
authentication process works...
So ok, everything is configured in AD (right member group for each group), on
PacketFence the link between ad group and Vlan is ok.
But what about the users authenticating thoufg 802.1x PEAP ??? how can they
authenticate ?
In my opinion something is missing, shouldn't i configure something about
Radius on Packetfence side ? what about the switch, nothing else than "aaa"
with radius config ?
Please let me know.
Kind regards,
David R
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Fabrice DURAND

2014-08-28 12:33:49 UTC

Permalink

Hello Sabrina,

wait for the 4.4, we included vlan filter based on the radius request so
you will be able to write your own rules based on all the radius attributes.

https://github.com/inverse-inc/packetfence/pull/196

Regards
Fabrice

Post by Sabrina Louison-franÃ§ois
Hello,
I raise the subject because I want to authenticate Packetfence users
with a RADIUS (freeradius) only. I configured my radius server to send
a specific parameters "Egress-VLAN-Name" to packetfence. The role must
be given according to this value.
In packetfence 3.6 (in production) we had to modify those files to
- /usr/local/pf/lib/pf/vlan/custom.pm : function getNormalVlan
- /usr/local/pf/conf/authentication/radius.pm: function authenticate
Do I have to do the same with the version 4 ? I would like to have a
easier method with the web interface.
Please let me know.
Regards,
**
Sabrina Louison-François
Ingénieure Réseaux et Télécoms
Direction des Systèmes dInformation
École normale supérieure de Cachan
61, avenue du Président Wilson
94235 Cachan cedex
tél : 01 47 40 74 24

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
***@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)

Arthur Emerson III

2014-08-28 13:36:34 UTC

Permalink

wait for the 4.4, we included vlan filter based on the radius request so you will be able to write your own rules based on all the radius attributes.

Durand fabrice

2014-08-28 23:39:24 UTC

Permalink

Hello Arthur,

probably next week, we merged stuff today in devel and tomorrow will be
a testing day.

Also you can have a preview of what will be included in 4.4
https://github.com/inverse-inc/packetfence/blob/devel/NEWS.asciidoc

Regards
Fabrice

Post by Arthur Emerson III

wait for the 4.4, we included vlan filter based on the radius request so you will be able to write your own rules based on all the radius attributes.

Fabrice,
How long of a wait are we talking about for 4.4? I just grabbed the 4.3
ZEN image yesterday to start our PF 3.61 -> 4.x upgrade, and am wondering
if I should hold off if the 4.4 release is imminent in the next few
weeks...
-Arthur
-------------------------------------------------------------------------
Network Administrator InterNIC: AE81
Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave. Fax: (845) 562-6762
Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Sabrina Louison-françois

2014-08-28 13:27:18 UTC

Permalink

Thanks for this answer. I will let it work with LDAP until version 4.4.

Sabrina Louison-François
Ingénieure Réseaux et Télécoms
Direction des Systèmes d'Information
École normale supérieure de Cachan
61, avenue du Président Wilson
94235 Cachan cedex
tél : 01 47 40 74 24

Post by Fabrice DURAND
Hello Sabrina,
wait for the 4.4, we included vlan filter based on the radius request
so you will be able to write your own rules based on all the radius
attributes.
https://github.com/inverse-inc/packetfence/pull/196
Regards
Fabrice

Post by Sabrina Louison-franÃ§ois
Hello,
I raise the subject because I want to authenticate Packetfence users
with a RADIUS (freeradius) only. I configured my radius server to
send a specific parameters "Egress-VLAN-Name" to packetfence. The
role must be given according to this value.
In packetfence 3.6 (in production) we had to modify those files to
- /usr/local/pf/lib/pf/vlan/custom.pm : function getNormalVlan
- /usr/local/pf/conf/authentication/radius.pm: function authenticate
Do I have to do the same with the version 4 ? I would like to have a
easier method with the web interface.
Please let me know.
Regards,
**
Sabrina Louison-François
Ingénieure Réseaux et Télécoms
Direction des Systèmes d'Information
École normale supérieure de Cachan
61, avenue du Président Wilson
94235 Cachan cedex
tél : 01 47 40 74 24

--
Fabrice Durand
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Fabrice DURAND

2014-07-17 12:24:07 UTC

Permalink

Hello David,

to answer to the three questions, the answer is yes.

So the quick process:

Access point Hostapd: 192.168.0.1
SSID Enterprise

So first go in Configuration -> Roles and create roles (Vlan_10 ,
Vlan_20 ...)
Configure in Switches your access point with ip ... and map vlan id to
roles (Vlan_10 -> 10 , Vlan_20 -> 20 ...)

In Sources create a internal source AD (MY_ACTIVE_DIRECTORY) and after
creating the source add a rule with something like:

Name User_to_vlan_10
memberOf is member of Vlan 10
Action: Set role Vlan_10
Set access duration 5 days

Name User_to_Vlan_20
....

Then in Portal Profiles add a profile (MY_PORTAL):
Filter : Enterprise (SSID Type)
Sources : MY_ACTIVE_DIRECTORY.

So when a user will try to connect to the SSID Enterprise, it will hit
MY_PORTAL captive portal and after the user enter his username and
password PacketFence will test on MY_ACTIVE_DIRECTORY and if it match
then try the rules and if the rule match (per example User_to_Vlan_10)
it will set the role Vlan_10 , set access duration to 5 days and map to
vlan id 10.

Regards
Fabrice

Post by rewt rewt
Dear All,
I am currently using NAP (Windows) for dynamic VLAN assignment over
EAP/802.1x based on active directory groups.
If user john is in group "Vlan 10" he will be in the VLAN 10.
I would love to move to PacketFence! but i can't find any clear
documentation on how to suceed.
- Is it possible to do that with PacketFence ?
- Is it possible to do that kind of configuration 100% from the WebUI ?
- Could you describe a quick process on how to suceed
Thank you!
Kind regards,
David R
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
***@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)