To reiterate my issue:
A windows 8.1 laptop will register via 802.1x using their computer host
name, not user name:
The user name is user
The computer name is user-laptop
We can see them in the database like this:
[root@p-r-apps-02 pf]# bin/pfcmd node view all | grep 00:24:d7:00:aa:bb
00:24:d7:00:aa:bb|user-laptop|host/user-laptop.ad.davenport.edu|guest|reg||0||2014-09-11
11:05:55|2015-02-12 13:23:33||WiFi 802.1X|10.1.49.6|13|56|DU-Secure-2|host/
user-laptop.ad.davenport.edu|Mozilla/5.0 (Windows NT 6.3; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95
Safari/537.36|Microsoft Windows 8 or 8.1 (Version 6.2)||2015-02-10
13:47:01||AUTO-REGISTERED
[root@p-r-apps-02 pf]#
Note that they get the role of "guest", and are able to connect to the
guest network.
When we do an authentication test, we see that the user authenticates fine,
but using the computer name does not:
[root@p-r-apps-02 pf]# bin/pftest authentication user "***" AD
Testing authentication for "user"
Authenticating against AD
Authentication SUCCEEDED against AD (Authentication successful using LDAP)
Matched against AD
set_role : staff
set_access_duration : 3Y
[root@p-r-apps-02 pf]# bin/pftest authentication host/
user-laptop.ad.davenport.edu "***" AD
Testing authentication for "host/user-laptop.ad.davenport.edu"
Authenticating against AD
Authentication FAILED against AD (Invalid login or password)
Did not match against AD
Even though the pc seems to be using the hostname when authenticating, or
PF is populating the username, it is still granting access into the guest
network.
This is our problem. I have tried Derek's fix of removing the admin role
entries, but this has not helped.
Is anyone else having this problem with windows 8.1 machines?
-
Pete Hoffswell - Network Manager
[email protected]
http://www.davenport.edu
On Tue, Feb 10, 2015 at 1:51 PM, Pete Hoffswell <
[email protected]> wrote:
> Thanks. I see what you mean. I have two rules for web auth, perform the
> "Set access level of Web admin" for users connecting to the admin interface
> of PF.
>
> I have moved those to a new source, and removed them from our original
> source.
>
> This is 802.1X authentication. I don't see where we use any portal
> profile. The source is not defined in any of our portal profiles, as
> Ludovic set it up for us.
>
> So, we still have the problem. The machine gets registered to the network
> with the machine name, not the user name.
>
> -
> Pete Hoffswell - Network Manager
> [email protected]
> http://www.davenport.edu
>
>
> On Tue, Feb 10, 2015 at 11:37 AM, Derek Wuelfrath <[email protected]>
> wrote:
>
>> Pete,
>>
>> Sorry for the delay.
>>
>> Workaround would be as follow.
>>
>> - Create a new AD source with the exact same attributes (not the rules).
>> - In that new source, create the rules for the admin rights.
>> - Don’t create any rules for set_role…
>> That will be our “admin source”… let’s keep it our little secret (Bob
>> Ross style)
>>
>> Then, in the other source (the one that is already configured), remove
>> every rules for admin purposes.
>>
>> Make sure the different portal profiles uses only the sources for users
>> (not the admin one)
>>
>> Let me know if it’s more clear.
>>
>> Cheers!
>> dw.
>>
>> --
>> Derek Wuelfrath
>> [email protected] :: www.inverse.ca
>> +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>> On February 10, 2015 at 10:14:06, Pete Hoffswell (
>> [email protected]) wrote:
>>
>> Hi -
>>
>> Is there an updated status on this issue?
>>
>> Is there a further detailed instruction on the work-around?
>>
>> Thanks.
>>
>>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
