Hello Irvan, yes it's normal, we did some unlang to mimic the way the realm is set when packetfence receives a machine authentication.
https://github.com/inverse-inc/packetfence/blob/devel/raddb/policy.d/packetfence#L36 Regards Fabrice Le ven. 4 nov. 2022 à 08:34, Irvan via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hello Ludovic, > > Thank you for your explanation. > How about the realm? According to log, when windows sends computer account > as login, Packetfence put it on Realm = "binus.local". But we never stup > that realm. > Is it normal to? > > > > Regards, > Irvan. > > On Thu, Nov 3, 2022 at 12:16 AM Zammit, Ludovic <luza...@akamai.com> > wrote: > >> Hello Irvan, >> >> It looks pretty normal that the windows sends the computer account >> because it’s the default behavior. >> >> What is not normal, is that if you have at least one successful >> authentication on the wifi with a username password, it should keep that >> one and not re-ask again. >> >> All that can be configured on the SSID profile on windows. >> >> Thanks, >> >> >> *Ludovic Zammit* >> *Product Support Engineer Principal Lead* >> *Cell:* +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com> >> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> >> <http://www.linkedin.com/company/akamai-technologies> >> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> >> >> On Nov 2, 2022, at 1:45 AM, Irvan via PacketFence-users < >> packetfence-users@lists.sourceforge.net> wrote: >> >> Hello Everyone, >> >> >> We have strange behaviour with Windows Client connecting to dot1x WiFi on >> Packetfence using AD Authentication source. >> >> The symptoms are : >> >> - When the first time Windows client connect to SSID, it was asked for >> username and password for login. >> - But if client forget the SSID and try to reconnect, Windows never asked >> username and password, it was automatically send hostname as login to >> packetfence, and accepted by packetfence. >> - The same thing happened when user comeback in the next day, Windows >> send hostname as login instead of username and it also accepted by >> packetfence >> >> We don't setup any machine auth, only user auth. Drill down to radius >> log, we saw that hostname login hit a non-existe realm. Using username and >> password client hit null realm. But when windows send hostname it hit >> binus.local realm, which is never exist. >> >> Bellow are radius log and realm.conf >> >> 1. Using user auth >> =============== >> Request Time >> 0 >> >> RADIUS Request >> User-Name = "loudy.owen" >> NAS-IP-Address = 10.21.36.41 >> NAS-Port = 4 >> Service-Type = Framed-User >> State = 0x6067228e61c0382594e9daec37da5a60 >> Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x" >> Calling-Station-Id = "70:66:55:34:28:f3" >> NAS-Identifier = "90-3A-72-03-18-90" >> NAS-Port-Type = Wireless-802.11 >> Acct-Session-Id = "6361F1F4-03189001" >> Acct-Multi-Session-Id = "88DA8FBC70CEC821" >> Event-Timestamp = "Nov 2 2022 11:28:41 WIB" >> Connect-Info = "CONNECT 802.11" >> EAP-Message = 0x02a700061a03 >> Chargeable-User-Identity = 0x00 >> Location-Data = 0x31304944170d42696e7573205379616864616e >> WLAN-Pairwise-Cipher = 1027076 >> WLAN-Group-Cipher = 1027076 >> WLAN-AKM-Suite = 1027073 >> FreeRADIUS-Proxied-To = 127.0.0.1 >> Ruckus-SSID = "BinusWifi-Staff.1x" >> Ruckus-Wlan-Id = 508 >> Ruckus-Location = "Binus Syahdan" >> Ruckus-SCG-CBlade-IP = 180933220 >> Ruckus-VLAN-ID = 1220 >> Ruckus-BSSID = 0x903a7243189d >> Ruckus-Zone-Name = "AP-Zone-Syahdan" >> Ruckus-Wlan-Name = "VlanPool2" >> EAP-Type = MSCHAPv2 >> Stripped-User-Name = "loudy.owen" >> Realm = "null" >> Called-Station-SSID = "BinusWifi-Staff.1x" >> PacketFence-Domain = "binus" >> PacketFence-KeyBalanced = "10a6d36fd6ec338584a72fcbe75f86ba" >> PacketFence-Radius-Ip = "10.200.210.87" >> PacketFence-NTLMv2-Only = "" >> PacketFence-Outer-User = "loudy.owen" >> Attr-26.25053.155 = 0x5379616864616e2043616d707573 >> User-Password = "******" >> SQL-User-Name = "loudy.owen" >> >> RADIUS Reply >> EAP-Message = 0x03a70004 >> Message-Authenticator = 0x00000000000000000000000000000000 >> User-Name = "loudy.owen" >> REST-HTTP-Status-Code = 200 >> >> ============================================== >> >> 2. Using hostname >> =============== >> Request Time >> 0 >> >> RADIUS Request >> User-Name = "host/NB202007000166.binus.local" >> NAS-IP-Address = 10.21.36.41 >> NAS-Port = 4 >> Service-Type = Framed-User >> State = 0xb4483109b5402b5768b5cf1f24ad1e9e >> Called-Station-Id = "90:3a:72:03:18:90:BinusWifi-Staff.1x" >> Calling-Station-Id = "70:66:55:34:28:f3" >> NAS-Identifier = "90-3A-72-03-18-90" >> NAS-Port-Type = Wireless-802.11 >> Acct-Session-Id = "6361F350-03189001" >> Acct-Multi-Session-Id = "3DD47C3ED408529E" >> Event-Timestamp = "Nov 2 2022 11:34:26 WIB" >> Connect-Info = "CONNECT 802.11" >> EAP-Message = 0x020800061a03 >> Chargeable-User-Identity = 0x00 >> Location-Data = 0x31304944170d42696e7573205379616864616e >> WLAN-Pairwise-Cipher = 1027076 >> WLAN-Group-Cipher = 1027076 >> WLAN-AKM-Suite = 1027073 >> FreeRADIUS-Proxied-To = 127.0.0.1 >> Ruckus-SSID = "BinusWifi-Staff.1x" >> Ruckus-Wlan-Id = 508 >> Ruckus-Location = "Binus Syahdan" >> Ruckus-SCG-CBlade-IP = 180933220 >> Ruckus-VLAN-ID = 1220 >> Ruckus-BSSID = 0x903a7243189d >> Ruckus-Zone-Name = "AP-Zone-Syahdan" >> Ruckus-Wlan-Name = "VlanPool2" >> EAP-Type = MSCHAPv2 >> Realm = "binus.local" >> Called-Station-SSID = "BinusWifi-Staff.1x" >> PacketFence-Domain = "binus" >> PacketFence-KeyBalanced = "e080ae33e5dd7f64d0155f1a8dc95245" >> PacketFence-Radius-Ip = "10.200.210.87" >> PacketFence-NTLMv2-Only = "" >> PacketFence-Outer-User = "host/NB202007000166.binus.local" >> Attr-26.25053.155 = 0x5379616864616e2043616d707573 >> User-Password = "******" >> SQL-User-Name = "host/NB202007000166.binus.local" >> >> RADIUS Reply >> MS-MPPE-Encryption-Policy = Encryption-Required >> MS-MPPE-Encryption-Types = 4 >> MS-MPPE-Send-Key = 0xb45a79e25b9f5bda45259afc13d0dc5c >> MS-MPPE-Recv-Key = 0xe52d30f3e2977a2c1219c4200bc44678 >> EAP-Message = 0x03080004 >> Message-Authenticator = 0x00000000000000000000000000000000 >> User-Name = "host/NB202007000166.binus.local" >> REST-HTTP-Status-Code = 200 >> >> >> 3. realm.conf >> ========== >> # Copyright (C) Inverse inc. >> [1 DEFAULT] >> radius_auth_compute_in_pf=enabled >> radius_acct= >> eduroam_radius_auth= >> radius_auth= >> eduroam_radius_acct= >> radius_auth_proxy_type=keyed-balance >> eduroam_radius_acct_proxy_type=load-balance >> eduroam_radius_auth_proxy_type=keyed-balance >> permit_custom_attributes=disabled >> radius_acct_proxy_type=load-balance >> eduroam_radius_auth_compute_in_pf=enabled >> domain=binus >> >> [1 LOCAL] >> eduroam_radius_acct= >> radius_auth= >> radius_acct= >> eduroam_radius_acct_proxy_type=load-balance >> radius_acct_proxy_type=load-balance >> eduroam_radius_auth= >> radius_auth_compute_in_pf=enabled >> radius_auth_proxy_type=keyed-balance >> permit_custom_attributes=disabled >> eduroam_radius_auth_compute_in_pf=enabled >> eduroam_radius_auth_proxy_type=keyed-balance >> >> [1 NULL] >> radius_auth_compute_in_pf=enabled >> radius_acct= >> radius_auth= >> eduroam_radius_auth= >> eduroam_radius_auth_proxy_type=keyed-balance >> eduroam_radius_acct= >> radius_auth_proxy_type=keyed-balance >> eduroam_radius_acct_proxy_type=load-balance >> permit_custom_attributes=disabled >> radius_acct_proxy_type=load-balance >> eduroam_radius_auth_compute_in_pf=enabled >> domain=binus >> >> ============================= >> >> How could this happened? Any advice? >> >> >> Thanks in advance >> >> >> Regards, >> Irvan >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> >> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!SFNRQV2PR8ry-00A8fXYEKuTzZqZg4CQPmHkOABxoBZ8BUuBihHqubUhd6DemK1cAhf2LKJJakTGi6H5RFEO2J7YKZ2Qp9SUd0HP4Q$ >> >> >> > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
