Thanks for the quick response. That answers my question but let me see if I
understand the scenario. What I am trying to accomplish is having one global
SSID with WPA2/AES that authenticates with AD. Students can provide their AD
credentials and be sent to the student network on their own (internal source
setup from this). Employee AD accounts will require mac address approval to be
put into employee vlan (no internal source just approval through nodes
database). So how I understand it the client will hit Freeradius authentication
first and verify their AD credentials. Next it would look at internal source
list and see Student group auto register as student vlan. Employee group has no
internal source so it will hit Registration network until node is approved in
packetfence. Is this the correct working order?
Jeremy Plumley
ITS Network Technician
Guilford Technical Community College, www.GTCC.edu<http://www.gtcc.edu/>
601 East Main St., Jamestown, NC 27282
Office – 336.334.4822 ext 50428
[cid:[email protected]]
1 John 1:9 ~ If we confess our sins, he is faithful and just to forgive us our
sins, and to cleanse us from all unrighteousness.
From: Derek Wuelfrath [mailto:[email protected]]
Sent: Thursday, February 12, 2015 9:25 AM
To: [email protected]; Jeremy Plumley
Subject: Re: [PacketFence-users] Packetfence dot1x wireless authentication
Jeremy,
When you are connecting to an SSID with packetfence it goes by your internal
sources in order for dot1x authentication correct?
The 802.1x work in kind of “two steps”.
Authentication in FreeRADIUS is completed against your AD with mschap. That
means that only having the PacketFence server joined to the domain would work.
The second step ‘post-auth’ is where PacketFence is taking a decision based on
the credentials you provided. That part need, in fact, a rule in the
authentication source that would set a role so that PacketFence will be able to
assign a VLAN.
Let me know if you need more info.
Cheers!
dw.
--
Derek Wuelfrath
[email protected]<mailto:[email protected]> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
On February 12, 2015 at 09:17:10, Jeremy Plumley
([email protected]<mailto:[email protected]>) wrote:
Just seeing if I can get some clarification on setting up dot1x wireless
authentication in Packetfence. Worked on this for a while a few months back but
hit a road block. I was able to get Packetfence server to join our AD domain
and my account would work with test utility to authenticate but would fail
mschap authentication when I connect to our wireless. After reading
documentation I think I may have been missing adding our AD in as an internal
source. When you are connecting to an SSID with packetfence it goes by your
internal sources in order for dot1x authentication correct? I only had on OU
added into internal sources to allow for Web admin access to restrict who could
login. I think I need to add an overall AD source without Webadmin access then
added conditions and rules for role access.
Jeremy Plumley
ITS Network Technician
Guilford Technical Community College, www.GTCC.edu<http://www.gtcc.edu/>
601 East Main St., Jamestown, NC 27282
Office – 336.334.4822 ext 50428
[file:///Users/derek/Library/Containers/it.bloop.airmail2/Data/Library/Application
Support/Airmail/General/Local/1423750922733539072/Attachments/[email protected]]
1 John 1:9 ~ If we confess our sins, he is faithful and just to forgive us our
sins, and to cleanse us from all unrighteousness.
E-Mail correspondence to and from this address may be subject to the North
Carolina Public Records Law and shall be disclosed to third parties when
required by the statutes (G.S. 132-1.)
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now.
http://goparallel.sourceforge.net/_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
E-Mail correspondence to and from this address may be subject to the North
Carolina Public Records Law and shall be disclosed to third parties when
required by the statutes (G.S. 132-1.)
E-Mail correspondence to and from this address may be subject to the North
Carolina Public Records Law and shall be disclosed to third parties when
required by the statutes (G.S. 132-1.)
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
