Dear all,

I have had PacketFence set up successfully for a year or so now with AD user 
authentication and Entra machine authentication, but I can't seem to get AD 
machine authentication to work properly.

I have a connection profile set up to filter based on Wireless-EAP and SSID.

[ULCC-Curriculum]
autoregister=enabled
filter=connection_type:Wireless-802.11-EAP,ssid:ULCC-Curriculum
advanced_filter=
filter_match_style=all
locale=
sources=EntraID-MachineAuthentication,AD_MachineAuthentication
unreg_on_acct_stop=enabled

I have an authentication profile set for AD and filter based on the security 
group.

[AD_MachineAuthentication]
set_access_durations_action=
scope=sub
verify=none
encryption=none
password=<redacted>
searchattributes=
basedn=OU=Computers,OU=PFA,DC=pfa,DC=education
realms=pfa.education
shuffle=0
dead_duration=60
description=Authenticates against AD Computers.
cache_match=0
type=AD
host=<redacted>
email_attribute=mail
monitor=1
use_connector=1
binddn=<redacted>
connection_timeout=1
write_timeout=5
port=389
usernameattribute=servicePrincipalName
read_timeout=10
dynamic_routing_module=AuthModule

[AD_MachineAuthentication rule Curriculum]
status=enabled
condition0=ldap:memberOf,is member of,CN=Domain 
Computers,CN=Users,DC=pfa,DC=education
class=authentication
action0=set_access_duration=5D
action1=set_role=ad_machine
match=all

[AD_MachineAuthentication rule Catch-All]
action0=set_role=REJECT
action1=set_access_duration=1h
match=all
status=enabled
class=authentication

I have created a realm for pfa.education
I have tried stripping and not stripping the pfa.education but makes no 
difference.

[pfa.education]
eduroam_radius_acct_proxy_type=load-balance
eduroam_radius_auth=
radius_acct_proxy_type=load-balance
eduroam_radius_acct=
domain=pfa
radius_auth_proxy_type=keyed-balance
eduroam_radius_auth_proxy_type=keyed-balance
admin_strip_username=enabled
eduroam_radius_auth_compute_in_pf=enabled
eap=default
permit_custom_attributes=disabled
radius_acct=
radius_auth=
portal_strip_username=enabled
radius_strip_username=enabled
radius_auth_compute_in_pf=enabled

PacketFence Log

Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) INFO: 
[mac:18:5e:0f:cc:39:86] handling radius autz request: from switch_ip => 
(<redacted>), connection_type => Wireless-802.11-EAP, switch_mac => 
(30:cb:c7:54:8d:12), mac => [18:5e:0f:cc:39:86], port => 0, username => 
"COL-ELT-03.pfa.education", ssid => ULCC-Curriculum (pf::radius::authorize)
Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) WARN: 
[mac:18:5e:0f:cc:39:86] [AD_MachineAuthentication Curriculum] Searching for 
(servicePrincipalName=COL-ELT-03.pfa.education), from 
OU=Computers,OU=PFA,DC=pfa,DC=education, with scope sub 
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) WARN: 
[mac:18:5e:0f:cc:39:86] [AD_MachineAuthentication Catch-All] Searching for 
(servicePrincipalName=COL-ELT-03.pfa.education), from 
OU=Computers,OU=PFA,DC=pfa,DC=education, with scope sub 
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) WARN: 
[mac:18:5e:0f:cc:39:86] No role specified or found for pid 
COL-ELT-03.pfa.education (MAC 18:5e:0f:cc:39:86); assume maximum number of 
registered nodes is reached (pf::node::is_max_reg_nodes_reached)


>From what I can see from the audit page and the PacketFence log the computer 
>is hitting Packetfence, it knows it should use the ULCC-Curriculum connection 
>profile and detects the correct realm, looks up the device using the correct 
>authentication method but for some reason is unable to find the device even 
>though it's there. I can query it using ldapsearch on the same box.


Can anyone help me with what I am missing to get this working, please?



Corey
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
  • [PacketFe... Corey Keeling (Shared Services IT - Staff) via PacketFence-users
    • [Pac... Corey Keeling (Shared Services IT - Staff) via PacketFence-users
      • ... Corey Keeling (Shared Services IT - Staff) via PacketFence-users
        • ... Aaron Zuercher via PacketFence-users
    • [Pac... Corey Keeling (Shared Services IT - Staff) via PacketFence-users

Reply via email to