Furthermore, check out the bin/pftest script.
It allows you to see what each authorization source says for a given username
and password.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On Jun 23, 2015, at 13:08 , Louis Munro <[email protected]> wrote:
>
>
> On Jun 23, 2015, at 12:09 , Rhoads, Robert W. <[email protected]> wrote:
>
>>
>> My thinking of how it works is different from how it actually works…so I
>> took your advice and made some changes. I have only an AD source, with a
>> rule that has no conditions (catch all) that assigns the Role to default and
>> sets the unregistration time. I do still have an issue, and recall I am
>> using dot1x/mab:
>>
>> If the client is NOT registered in PF, and the client has the needed
>> services running for wired 802.1x with the supplicant set for MSCHAP and to
>> pass the login credentials to MSCHAP, radius auth (using the AD source I
>> assume) fails and the system is put in the registration VLAN.
>
>> Second Issue: Assuming we continue on with this failed state situation, and
>> attempt to login via the web portal using the same credentials (all in AD),
>> the portal report bas username/password and I get nowhere.
>>
>
> This sounds like the initial 802.1x authentication failing, the switch trying
> MAB and then the portal not allowing you through because the source is either
> misconfigured or the username/password is wrong.
>
>
>> What I would like to see is a single sign on (Windows logon), where the
>> Windows logon credentials are passed to the supplicant which uses them for
>> 802.1x and then PF does the autoregistration. Is my problem with some
>> MSCHAP set up in the first issue? Where might the problem be in the second
>> issue?
>>
>
> This is doable and is actually what a lot of people are doing.
>
> I can’t help you without more details though.
>
> I need:
> 1. The full radiusd -d raddb -X output for a failed 802.1x authentication
> 2. the conf/profiles.conf and conf/authentication.conf files
> 3. the logs/packetfence.log for the MAC of the device you are trying to
> register.
>
>
>>
>> And a totally separate question, is it possible to make it so PF will
>> deregister a client system when the user logs off?
>
> Not reliably.
>
> There’s no RADIUS packet that specifically says “logging off”.
> You may get a radius accounting “stop session”, but that does not necessarily
> mean the user logged off.
>
> Conversely if the user is not connected when he/she logs off (e.g. on
> wireless) you would not get anything.
>
> The real question is what are you trying to achieve?
> When using 802.1x, authentication still has to happen anytime the user
> connects, regardless of whether they are registered or not.
>
> Regards,
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
