Hi Adrian,
my bad, i am a little bit tired ;-)
In fact it doesn't really matter to match the SUBDOMAIN realm for
machine authentication, let me explain why.
For user auth we need to strip the username (SUBDOMAIN/user) to be able
to match the username without the domain on the sAMAccountName attribute
(ldap search with sAMAccountName=user).
For machine authentication we need to match the complete username with
the servicePrincipalName attribute
(servicePrincipalName=host/IIR0010020.subdomain.domain.com)
Even if you use the SUBDOMAIN or LOCAL realm the request will come in
packetfence.
So what you need to do is:
Create 2 AD authentication source like here :
https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Administration_Guide.asciidoc#example
Create a new portal profile, with filter connection_type = Ethernet-EAP
Assign the 2 authentication source to this portal
And select use stripped username
Then when you will try to connect with dot1x, if it's a user auth then
the specific portal profile you create will match (connection_type =
Ethernet-EAP)
Then the stripped username will match on the user AD source and the rule
you defined will be applied.
If you connect with dot1x machine auth, the same specific portal profile
you created will match (connection_type = Ethernet-EAP)
Then the username will failled on the AD user authentication source but
will match on the AD machine authentication source and the rules you
defined will be applied.
It's just an example of a configuration you can use but other workflow
are possible and are just limited by your imagination ;-) (2 portal
profiles, filter by realm, filter by username ...)
Regards
Fabrice
Le 2015-04-03 15:14, Calugaru Adrian a écrit :
Hi Fabrice,
I've tried to create a real named "host" but it sees the host/ as part
of the hostname/username not like a domain.
Maybe is it was sending host\ instead of host/ would work.
As an alternative I was thinking on changing the script checking for a
@ in the request and try to check domain.com.
Any other ideas ?
Thank you
Adrian
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
