Thank you Fabrice, that worked but I still need your advice.
Now all my requests are going into the new profile with the Ethernet-EAP type
and if the computer is not authenticated the switch port goes into
unauthorized.
Does PF looks at the authentication response and if it's Access Rejected to put
the interface into the Registration vlan ?
What I'm trying to do is, configure dot1x authentication on all switch ports
and:- if it's a domain computer and successfully authenticate to put the port
into the authorized vlan (VID:10)- if the computer authentication fails to put
the port into the Registration vlan (VID:20) and use User authentication to
login on the portal. Once authenticated to put the port in vlan 10
(authorized)- if the computer is not a domain computer (with dot1x or without)
to put the port into Registration vlan and use local users to authenticate.
Once authenticated to put the port into Guest vlan (VID:255)
As authentication mechanism I'm using a Radius server which is configured as
Source.
Thank youAdrian
From: "[email protected]"
<[email protected]>
To: [email protected]
Sent: Monday, April 6, 2015 4:10 PM
Subject: PacketFence-users Digest, Vol 84, Issue 13
Send PacketFence-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of PacketFence-users digest..."
Today's Topics:
1. Dot1.x Computer authentication (Calugaru Adrian)
2. Re: Dot1.x Computer authentication (Durand fabrice)
3. Modify the email sent for guest email registration?
(Howell, Michael)
4. (no subject) (Dennis Brown)
----------------------------------------------------------------------
Message: 1
Date: Fri, 3 Apr 2015 19:14:39 +0000 (UTC)
From: Calugaru Adrian <[email protected]>
Subject: [PacketFence-users] Dot1.x Computer authentication
To: "[email protected]"
<[email protected]>
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="utf-8"
Hi Fabrice,
I've tried to create a real named "host" but it sees the host/ as part of the
hostname/username not like a domain.
Maybe is it was sending host\ instead of host/ would work.
As an alternative I was thinking on changing the script checking for a @ in the
request and try to check domain.com.
Any other ideas ?
Thank youAdrian
?
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Fri, 03 Apr 2015 18:40:08 -0400
From: Durand fabrice <[email protected]>
Subject: Re: [PacketFence-users] Dot1.x Computer authentication
To: [email protected]
Message-ID: <[email protected]>
Content-Type: text/plain; charset="windows-1252"
Hi Adrian,
my bad, i am a little bit tired ;-)
In fact it doesn't really matter to match the SUBDOMAIN realm for
machine authentication, let me explain why.
For user auth we need to strip the username (SUBDOMAIN/user) to be able
to match the username without the domain on the sAMAccountName attribute
(ldap search with sAMAccountName=user).
For machine authentication we need to match the complete username with
the servicePrincipalName attribute
(servicePrincipalName=host/IIR0010020.subdomain.domain.com)
Even if you use the SUBDOMAIN or LOCAL realm the request will come in
packetfence.
So what you need to do is:
Create 2 AD authentication source like here :
https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Administration_Guide.asciidoc#example
Create a new portal profile, with filter connection_type = Ethernet-EAP
Assign the 2 authentication source to this portal
And select use stripped username
Then when you will try to connect with dot1x, if it's a user auth then
the specific portal profile you create will match (connection_type =
Ethernet-EAP)
Then the stripped username will match on the user AD source and the rule
you defined will be applied.
If you connect with dot1x machine auth, the same specific portal profile
you created will match (connection_type = Ethernet-EAP)
Then the username will failled on the AD user authentication source but
will match on the AD machine authentication source and the rules you
defined will be applied.
It's just an example of a configuration you can use but other workflow
are possible and are just limited by your imagination ;-) (2 portal
profiles, filter by realm, filter by username ...)
Regards
Fabrice
Le 2015-04-03 15:14, Calugaru Adrian a ?crit :
> Hi Fabrice,
>
> I've tried to create a real named "host" but it sees the host/ as part
> of the hostname/username not like a domain.
> Maybe is it was sending host\ instead of host/ would work.
>
> As an alternative I was thinking on changing the script checking for a
> @ in the request and try to check domain.com.
> Any other ideas ?
>
> Thank you
> Adrian
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 3
Date: Mon, 6 Apr 2015 09:00:52 -0400
From: "Howell, Michael" <[email protected]>
Subject: [PacketFence-users] Modify the email sent for guest email
registration?
To: "[email protected]"
<[email protected]>
Message-ID:
<3683d5923b324e4685cbfdaef9101f1e25269e6...@nhc0564.nhc.network.local>
Content-Type: text/plain; charset="us-ascii"
Does anyone know how to modify the email sent for guest email registration? I'd
like to modify the subject can the content.
Thanks,
Mike Howell
This message is confidential, intended only for the named recipient(s) and may
contain information that is privileged or exempt from disclosure under
applicable law. Any patient health information must be delivered immediately to
intended recipient(s). If you are not the intended recipient(s), you are
notified that the dissemination, distribution or copying of this message is
strictly prohibited. If you receive this message in error, or are not the named
recipient(s), please notify the sender at either the e-mail address or
telephone number above and discard this e-mail. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 4
Date: Mon, 6 Apr 2015 08:09:36 -0500
From: Dennis Brown <[email protected]>
Subject: [PacketFence-users] (no subject)
To: [email protected]
Message-ID:
<CAOSPv5tHkrfQHPLMXciM-e6H5cJDPyZRpoHLGg=swfs+a_a...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
All,
Having an issue starting RADIUSD after updating to version 4.7.0
When running "/usr/sbin/radiusd -X" I am getting the below errors.
First Error message:
"Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in
range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed) For
more information see http://heartbleed.com";
Fixed by adding "allow_vulnerable_openssl = yes" to security sub section
Second Error message:
/etc/raddb/sql.conf[1]: Instantiation failed for module "sql"
/etc/raddb/sites-enabled/packetfence[32]: Failed to find "sql" in the
"modules" section.
/etc/raddb/sites-enabled/packetfence[29]: Errors parsing accounting
section.
Please help?
OS: CentOS 6.6
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
End of PacketFence-users Digest, Vol 84, Issue 13
*************************************************
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
