>From looking at the PacketFence log it is using the AD Authentication source >but isn't finding the device.
Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) INFO: [mac:18:5e:0f:cc:39:86] handling radius autz request: from switch_ip => (<redacted>), connection_type => Wireless-802.11-EAP, switch_mac => (30:cb:c7:54:8d:12), mac => [18:5e:0f:cc:39:86], port => 0, username => "COL-ELT-03.pfa.education", ssid => ULCC-Curriculum (pf::radius::authorize) Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) WARN: [mac:18:5e:0f:cc:39:86] [AD_MachineAuthentication Curriculum] Searching for (servicePrincipalName=COL-ELT-03.pfa.education), from OU=Computers,OU=PFA,DC=pfa,DC=education, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) WARN: [mac:18:5e:0f:cc:39:86] [AD_MachineAuthentication Catch-All] Searching for (servicePrincipalName=COL-ELT-03.pfa.education), from OU=Computers,OU=PFA,DC=pfa,DC=education, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) WARN: [mac:18:5e:0f:cc:39:86] No role specified or found for pid COL-ELT-03.pfa.education (MAC 18:5e:0f:cc:39:86); assume maximum number of registered nodes is reached (pf::node::is_max_reg_nodes_reached) Regards Corey Keeling | Senior IT Technician ________________________________ From: Corey Keeling (Shared Services IT - Staff) <corey.keel...@parksidecc.org.uk> Sent: 16 January 2025 08:18 To: packetfence-users@lists.sourceforge.net <packetfence-users@lists.sourceforge.net> Subject: AD - Machine Authentication Dear all, I have had PacketFence set up successfully for a year or so now with AD user authentication and Entra machine authentication, but I can't seem to get AD machine authentication to work correctly. I have a connection profile set up to filter based on Wireless-EAP and SSID. [ULCC-Curriculum] autoregister=enabled filter=connection_type:Wireless-802.11-EAP,ssid:ULCC-Curriculum advanced_filter= filter_match_style=all locale= sources=EntraID-MachineAuthentication,AD_MachineAuthentication unreg_on_acct_stop=enabled I have an authentication profile setup for AD and to filter based on security group. [AD_MachineAuthentication] set_access_durations_action= scope=sub verify=none encryption=none password=<redacted> searchattributes= basedn=OU=Computers,OU=PFA,DC=pfa,DC=education realms=pfa.education shuffle=0 dead_duration=60 description=Authenticates against AD Computers. cache_match=0 type=AD host=<redacted> email_attribute=mail monitor=1 use_connector=1 binddn=<redacted> connection_timeout=1 write_timeout=5 port=389 usernameattribute=servicePrincipalName read_timeout=10 dynamic_routing_module=AuthModule [AD_MachineAuthentication rule Curriculum] status=enabled condition0=ldap:memberOf,is member of,CN=Domain Computers,CN=Users,DC=pfa,DC=education class=authentication action0=set_access_duration=5D action1=set_role=ad_machine match=all [AD_MachineAuthentication rule Catch-All] action0=set_role=REJECT action1=set_access_duration=1h match=all status=enabled class=authentication I have created a realm for pfa.education I have tried stripped and not stripping the pfa.education but makes no difference. [pfa.education] eduroam_radius_acct_proxy_type=load-balance eduroam_radius_auth= radius_acct_proxy_type=load-balance eduroam_radius_acct= domain=pfa radius_auth_proxy_type=keyed-balance eduroam_radius_auth_proxy_type=keyed-balance admin_strip_username=enabled eduroam_radius_auth_compute_in_pf=enabled eap=default permit_custom_attributes=disabled radius_acct= radius_auth= portal_strip_username=enabled radius_strip_username=enabled radius_auth_compute_in_pf=enabled >From what I can see from the audit page, the computer is hitting Packetfence, >it knows it should use the ULCC-Curriculum connection profile and detects the >correct realm but doesn't use the authentication profile and so gets rejected >as it couldn't compute any roles. Can anyone please help me with what I am missing to get this working? Regards Corey Keeling | Senior IT Technician
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
