Dear all, I have had PacketFence set up successfully for a year or so now with AD user authentication and Entra machine authentication, but I can't seem to get AD machine authentication to work properly.
I have a connection profile set up to filter based on Wireless-EAP and SSID. [ULCC-Curriculum] autoregister=enabled filter=connection_type:Wireless-802.11-EAP,ssid:ULCC-Curriculum advanced_filter= filter_match_style=all locale= sources=EntraID-MachineAuthentication,AD_MachineAuthentication unreg_on_acct_stop=enabled I have an authentication profile set for AD and filter based on the security group. [AD_MachineAuthentication] set_access_durations_action= scope=sub verify=none encryption=none password=<redacted> searchattributes= basedn=OU=Computers,OU=PFA,DC=pfa,DC=education realms=pfa.education shuffle=0 dead_duration=60 description=Authenticates against AD Computers. cache_match=0 type=AD host=<redacted> email_attribute=mail monitor=1 use_connector=1 binddn=<redacted> connection_timeout=1 write_timeout=5 port=389 usernameattribute=servicePrincipalName read_timeout=10 dynamic_routing_module=AuthModule [AD_MachineAuthentication rule Curriculum] status=enabled condition0=ldap:memberOf,is member of,CN=Domain Computers,CN=Users,DC=pfa,DC=education class=authentication action0=set_access_duration=5D action1=set_role=ad_machine match=all [AD_MachineAuthentication rule Catch-All] action0=set_role=REJECT action1=set_access_duration=1h match=all status=enabled class=authentication I have created a realm for pfa.education I have tried stripping and not stripping the pfa.education but makes no difference. [pfa.education] eduroam_radius_acct_proxy_type=load-balance eduroam_radius_auth= radius_acct_proxy_type=load-balance eduroam_radius_acct= domain=pfa radius_auth_proxy_type=keyed-balance eduroam_radius_auth_proxy_type=keyed-balance admin_strip_username=enabled eduroam_radius_auth_compute_in_pf=enabled eap=default permit_custom_attributes=disabled radius_acct= radius_auth= portal_strip_username=enabled radius_strip_username=enabled radius_auth_compute_in_pf=enabled PacketFence Log Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) INFO: [mac:18:5e:0f:cc:39:86] handling radius autz request: from switch_ip => (<redacted>), connection_type => Wireless-802.11-EAP, switch_mac => (30:cb:c7:54:8d:12), mac => [18:5e:0f:cc:39:86], port => 0, username => "COL-ELT-03.pfa.education", ssid => ULCC-Curriculum (pf::radius::authorize) Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) WARN: [mac:18:5e:0f:cc:39:86] [AD_MachineAuthentication Curriculum] Searching for (servicePrincipalName=COL-ELT-03.pfa.education), from OU=Computers,OU=PFA,DC=pfa,DC=education, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) WARN: [mac:18:5e:0f:cc:39:86] [AD_MachineAuthentication Catch-All] Searching for (servicePrincipalName=COL-ELT-03.pfa.education), from OU=Computers,OU=PFA,DC=pfa,DC=education, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) WARN: [mac:18:5e:0f:cc:39:86] No role specified or found for pid COL-ELT-03.pfa.education (MAC 18:5e:0f:cc:39:86); assume maximum number of registered nodes is reached (pf::node::is_max_reg_nodes_reached) >From what I can see from the audit page and the PacketFence log the computer >is hitting Packetfence, it knows it should use the ULCC-Curriculum connection >profile and detects the correct realm, looks up the device using the correct >authentication method but for some reason is unable to find the device even >though it's there. I can query it using ldapsearch on the same box. Can anyone help me with what I am missing to get this working, please? Corey
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
