From: Louis Munro [mailto:[email protected]]
Sent: Monday, June 22, 2015 4:49 PM
To: [email protected]
Subject: Re: [PacketFence-users] RADIUS auth via AD issues
On Jun 22, 2015, at 16:30 , Rhoads, Robert W.
<[email protected]<mailto:[email protected]>> wrote:
I have a RADIUS authentication source with rules to place users in the default
Role and set the unregistration date. RADIUS is set to use AD (as referenced
in the Admin guide). Per your previous advice in a different question, the
default vlan on the switches is set to appropriate VLAN for that site.
As to autoregistration, I uncommented the autoregistration code in custom.pm
located under vlan/ under lib.
While that may work, what you probably want is an AD type source which will
allow you to create rules based on things such as group membership and LDAP
attributes.
Remember that those sources are for authorization, since authentication has
already succeeded in the initial RADIUS request by the time they are queried.
Check to see if the devices are actually getting registered.
Does their status change to registered in the GUI?
Then check in the logs for the matching MAC to see if they were assigned the
right VLAN.
As I said you probably really want an AD type source.
RADIUS is rather limited in comparison and forces you to run a RADIUS server on
the AD rather than use LDAP which should be enabled by default.
If you still have trouble getting this to work, post your authentication.conf
file as well as juicy bits of logs (packetfence.log) and I'll try to help you.
Regards,
--
Louis Munro
[email protected]<mailto:[email protected]> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
My thinking of how it works is different from how it actually works...so I took
your advice and made some changes. I have only an AD source, with a rule that
has no conditions (catch all) that assigns the Role to default and sets the
unregistration time. I do still have an issue, and recall I am using dot1x/mab:
If the client is NOT registered in PF, and the client has the needed services
running for wired 802.1x with the supplicant set for MSCHAP and to pass the
login credentials to MSCHAP, radius auth (using the AD source I assume) fails
and the system is put in the registration VLAN. Second Issue: Assuming we
continue on with this failed state situation, and attempt to login via the web
portal using the same credentials (all in AD), the portal report bas
username/password and I get nowhere.
What I would like to see is a single sign on (Windows logon), where the Windows
logon credentials are passed to the supplicant which uses them for 802.1x and
then PF does the autoregistration. Is my problem with some MSCHAP set up in
the first issue? Where might the problem be in the second issue?
And a totally separate question, is it possible to make it so PF will
deregister a client system when the user logs off?
Thank you so very much for your help!
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
