Probably these too: UDP: 137, 138, 53 and TCP: 139,445,53 Fabrice
Le Vendredi 28 Novembre 2014 10:28 EST, "Gair, Jon" <[email protected]> a écrit: > Thanks. > > If I follow the Samba, Kerberos route do you know which ports I will have to > open to my DC. Ideally going to position the packetfence server in a DMZ and > was only expecting to expose LDAPS if I could get away with it. The > krb5.conf files suggests this may just be 88 and 749 for Kerberos traffic but > wondering how much of a risk this authentication traffic will cause. > > Thanks > > Jon > > > -----Original Message----- > From: Fabrice Durand [mailto:[email protected]] > Sent: 28 November 2014 15:18 > To: [email protected] > Subject: Re: [PacketFence-users] EAP over AD/LDAP > > > Just an alternative of installing Samba, kerberos .... > > https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute > > Fabrice > > Le Vendredi 28 Novembre 2014 10:08 EST, Louis Munro <[email protected]> a > écrit: > > > > > > > On 2014-11-28, at 9:55 , "Gair, Jon" <[email protected]> wrote: > > > > > I am trying to determine the best way of authenticating users for a > > > secure SSID against an Active Directory source. My AD source is working > > > fine for a captive portal to sponsor and approve roles for MAC based > > > authentication but wondering if any of this config can relate to EAP > > > authentication. > > > > > > From reviewing the forums and manuals there does not appear to be a clear > > > way forward on this. Is the best way to follow page 28 of the admin > > > manual that describes installing samba, joining the server to the domain > > > and editing various files in the RADIUS and Kerberos directories. Would > > > setting this up as an LDAP source rather than AD local source make the > > > process any easier ? Do the roles I have configured via the GUI for the > > > portal get used by RADIUS for role/VLAN assignment for EAP ? > > > > Hi John, > > > > If what you want is to authenticate your users with PEAP using 802.1x, LDAP > > will not work. > > Protocol limitations inherent to PEAP mean that no LDAP query of any kind > > can get this to work with an Active Directory because you cannot get the NT > > hashed passwords out of it using LDAP. > > See here for a protocol compatibility matrix: > > http://deployingradius.com/documents/protocols/compatibility.html > > > > So pretty much your only way forward is to use winbind and join the machine > > to the domain. > > The current PacketFence version comes preconfigured for NTLM authentication > > but you will still have to edit /etc/krb5.conf and /etc/samba/smb.conf to > > match your local configuration. > > > > Think of it this way: in an 802.1x setup with AD FreeRADIUS is used for > > authentication (checking passwords) and the rules you configure in > > PacketFence are used for authorization (setting which role/VLAN is > > returned). > > The two complement each other. > > > > Hopefully that makes sense and gets you a bit further along. > > > > Regards, > > -- > > Louis Munro > > [email protected] :: www.inverse.ca > > +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 > > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > > (www.packetfence.org) > > > > > > > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from > Actuate! Instantly Supercharge Your Business Reports and Dashboards with > Interactivity, Sharing, Native Excel Exports, App Integration & more Get > technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > The information contained in this e-mail may be subject to public disclosure > under the NHS Code of Openness or the Freedom of Information Act 2000. > Unless the information is legally exempt, the confidentiality of this e-mail > and your reply cannot be guaranteed. > Unless expressly stated otherwise, the information contained in this e-mail > is intended for the named recipient(s) only. If you are not the intended > recipient you must not copy, distribute, or take any action or reliance upon > it. If you have received this e-mail in error, please notify the sender. Any > unauthorised disclosure of the information contained in this e-mail is > strictly prohibited. > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
