Hello Simon, Quickly it looks like a mismatch on the usernames.
bob is different from b...@domain.com <mailto:b...@domain.com> My guess is that when you login on the status page it splits your name and you have no device under the user “simon” Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Feb 1, 2022, at 11:06 AM, Simon Sutcliffe via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hi PF Team > > Does anyone have any ideas to the below issue please? > > As much as a team was are becoming to love and understand PacketFence there > seems to be times (most days) when we just cannot understand what is > happening any why. Today is one of those days 😊 > > We have got to the point of most of our use cases working with your great > support on this mailing list and we feel a little embarrassed to even write > this one as we know we are just doing something stupid. > > Problem – First logon works, subsequent attempts fail. > > This is our setup for background. > > Authentication Source - Active Directory (Interesting parts) > > Identifier > > <image002.png> > > Search Criteria > <image003.png> > > No cache enabled > > <image010.png> > > Assigned Realms > <image015.png> > Testing Connection to AD works without issues > <image016.png> > > Connection Profile – Defined so it does not fall blindly into the “default > profile” > > <image017.png> > > Access to the connection profile controlled by this filter > > <image018.png> > > Authentication Sources Applied. > > <image019.png> > > Only connection profile provided with the Self Service Policy > > <image020.png> > > Logon Workflow. > > Logon with UPN of an account in the AD > > https://nac-test.corporateroot.net/status > <https://urldefense.com/v3/__https://nac-test.corporateroot.net/status__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD-ZjOnii$> > > <image021.png> > > Successful logon > > <image022.png> > > Packetfence Log Info > > Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: > httpd.portal(2104085) INFO: [mac:0] Realm source is part of the connection > profile sources. Using it as the only auth source. > (captiveportal::PacketFence::Controller::Authenticate::getSources) > Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: > httpd.portal(2104085) INFO: [mac:0] [CorporaterootAuth] Authentication > successful for simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com>(pf::Authentication::Source::LDAPSource::authenticate) > Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: > httpd.portal(2104085) INFO: [mac:0] Authentication successful for > simon.sutcli...@rhdhv.com <mailto:simon.sutcli...@rhdhv.com> in source > CorporaterootAuth (AD) (pf::authentication::authenticate) > Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: > httpd.portal(2104085) INFO: [mac:0] person simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com> added (pf::person::person_add) > Jan 28 16:02:36 packetfence packetfence_httpd.portal[2104085]: > httpd.portal(2104085) INFO: [mac:0] Successfully authenticated > simon.sutcli...@rhdhv.com/10.251.41.29/0 > <mailto:simon.sutcli...@rhdhv.com/10.251.41.29/0>(captiveportal::PacketFence::Controller::Authenticate::authenticationLogin) > > > User account created within users > > <image023.png> > > Press Logout, and attempt to logon again. > > <image024.png> > > Logon Fails. > > Packetfence log info > > Jan 28 16:04:11 packetfence packetfence_httpd.portal[2103908]: > httpd.portal(2103908) INFO: [mac:0] Realm source is part of the connection > profile sources. Using it as the only auth source. > (captiveportal::PacketFence::Controller::Authenticate::getSources) > > Additional Information > > If we now logon as the SamAccountName name of the account above this will > allow us to logon once, cerates an account and then never again. Hence every > unique named account can access successfully once, the account appears in the > users list. On the domain controller we only see the first authentication > request but never another for the account. Deleting the account in the users > list allows the account to logon again once. > > We initially thought this was because the users was being used as a > authentication source and the password was “Blank”. We create an account > directly within the users list using the create button and provide a password > but found these accounts can also not logon to the status portal (however > could logon to the admin portal if we gave them the required permissions). > > We have a feature request in place in GitHub to allow OpenID logon for the > status page as we want to remove username and passwords from our > orginisation. But to get though the lab for now we cannot even get this bit > to work. > > Help please, can you guide us to the thing we have missed our misconfigured \ > misunderstood as this is also driving us mad. If you require more > information then please let me know. > > Kind Regards > > Simon > > > Simon Sutcliffe > IT Architect, Workplace Solutions > > T +44 1733 336600 | M +44 7775 823368 | E simon.sutcli...@rhdhv.com > <mailto:simon.sutcli...@rhdhv.com> | W www.royalhaskoningdhv.com > <https://urldefense.com/v3/__http://www.royalhaskoningdhv.com/__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD4ixfDST$> > HaskoningDHV UK Ltd., a company of Royal HaskoningDHV > > <image025.jpg> > > > Royal HaskoningDHV - Internal Use Only > This email and any attachments are intended solely for the use of the > addressee(s); disclosure or copying by others than the intended person(s) is > strictly prohibited. If you have received this email in error, please treat > this email as confidential, notify the sender and delete all copies of the > email immediately > This email and any attachments are intended solely for the use of the > addressee(s); disclosure or copying by others than the intended person(s) is > strictly prohibited. If you have received this email in error, please treat > this email as confidential, notify the sender and delete all copies of the > email immediately _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD_gj2aed$ > > <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!AWS1RWAcdqOHDI8q5TRlb3Xayll1mEtIqPH1kny8qa1fnjO0MxvPEwgvD_gj2aed$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
