On Jun 23, 2015, at 12:09 , Rhoads, Robert W. <[email protected]> wrote:
>
> My thinking of how it works is different from how it actually works…so I took
> your advice and made some changes. I have only an AD source, with a rule
> that has no conditions (catch all) that assigns the Role to default and sets
> the unregistration time. I do still have an issue, and recall I am using
> dot1x/mab:
>
> If the client is NOT registered in PF, and the client has the needed services
> running for wired 802.1x with the supplicant set for MSCHAP and to pass the
> login credentials to MSCHAP, radius auth (using the AD source I assume) fails
> and the system is put in the registration VLAN.
> Second Issue: Assuming we continue on with this failed state situation, and
> attempt to login via the web portal using the same credentials (all in AD),
> the portal report bas username/password and I get nowhere.
>
This sounds like the initial 802.1x authentication failing, the switch trying
MAB and then the portal not allowing you through because the source is either
misconfigured or the username/password is wrong.
> What I would like to see is a single sign on (Windows logon), where the
> Windows logon credentials are passed to the supplicant which uses them for
> 802.1x and then PF does the autoregistration. Is my problem with some MSCHAP
> set up in the first issue? Where might the problem be in the second issue?
>
This is doable and is actually what a lot of people are doing.
I can’t help you without more details though.
I need:
1. The full radiusd -d raddb -X output for a failed 802.1x authentication
2. the conf/profiles.conf and conf/authentication.conf files
3. the logs/packetfence.log for the MAC of the device you are trying to
register.
>
> And a totally separate question, is it possible to make it so PF will
> deregister a client system when the user logs off?
Not reliably.
There’s no RADIUS packet that specifically says “logging off”.
You may get a radius accounting “stop session”, but that does not necessarily
mean the user logged off.
Conversely if the user is not connected when he/she logs off (e.g. on wireless)
you would not get anything.
The real question is what are you trying to achieve?
When using 802.1x, authentication still has to happen anytime the user
connects, regardless of whether they are registered or not.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
