Hello Fabrice,
Thank you for the script, appreciate that :-)
However, no matter how I try, the supplicant will always goes to user
authentication first instead of computer authentication. In order to
autoreg the computer, I did the following steps:
1. first my windows 7 take user authentication, although radius accepted,
but pf present registration vlan
2. Then, manually force my win7 supplicant to "computer authentication" in
802.1x setting, and reconnect the port and pf starts to autoreg the machine
3. Lastly, revert back the 802.1x setting to "user or computer
authentication", reconnect the port, pf autoreg without issue
so if I unreg the node manually, I have to redo step 2 & 3 to autoreg the
node.
Thank you.
Regards,
Reeyon
On Fri, Feb 5, 2016 at 11:56 PM, Fabrice DURAND <[email protected]> wrote:
> Hello Reeyon,
>
> you can do something like that:
>
> First create a role machine and a role refuse.
> In the switch config assign the role machine to a production vlan and
> refuse to the vlan id -1.
>
> Next add to the vlan filter this:
>
> [EthernetEAP]
> filter = connection_type
> operator = is
> value = Ethernet-EAP
>
> [machineauth]
> filter = user_name
> operator = regex
> value = ^host\/
>
> [machine]
> filter = node_info
> attribute = machine_account
> operator = defined
> value = default
>
> #### Machine Auth Autoregister ####
>
> [1:EthernetEAP&machineauth]
> scope = AutoRegister
> role = machine
>
> [2:EthernetEAP&machineauth]
> scope = NodeInfoForAutoReg
> role = machine
>
> #### Refuse User Auth without machine Auth ####
>
> [3:EthernetEAP&!machine]
> scope = RegisteredRole
> role = refuse
>
>
> So if the first authentication is machine then packetfence will
> autoregister it, next if the device do user auth then it will compute
> the role in the authentication source you defined (Portal profile with
> filter connection_type EthernetEAP and source AD User and AD Machine).
> If the device try to authenticate directly without previously did
> machine auth then it will be refuse.
>
> Btw if you want to forward the device to the registration vlan instead
> of refusing it then replace the rule 3 with that:
>
> [3:EthernetEAP&!machine]
> scope = RegisteredRole
> role = registration
> action = deregister_node
> action_param = $mac
>
>
> Regards
> Fabrice
>
> Le 2016-02-04 22:17, Reeyon Lim a écrit :
> > In addition, if any of the authorized user bring their personal device
> > such as mobile/IPAD/tablet/laptops, because since they already have
> > 802.1x AD account in the company, so that they can easily setup
> > 802.1x settings themselves and access granted.
> >
> > Endpoint profiling/classification will have more flexibility and ease
> > configuration.
> > Something similar to this:
> > PF detects any BYOD that aren't authorized, put them into registration.
> >
> > I have no idea how to deal with this objective, by using traditional
> > 802.1x or WMI or Violation?
> >
> > I would prefer Violation, because it can operate dynamically by the
> > design i guess. for example: PF detect domain computers, put them
> > normal vlan, otherwise put them in Registration vlan.
> > So how can I achieve this goal?
> >
> > Thank you.
> >
> > Regards,
> > Reeyon
> >
> >
> >
> > On Thu, Feb 4, 2016 at 10:16 AM, Reeyon Lim <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > Hello Fabrice,
> >
> > From the windows supplicant, by default "user and computer
> > authentication" was chosen in 802.1x settings.
> >
> > Does PF provides other better solution for 802.1x authentication
> > for BYOD?
> >
> > Regards,
> > Reeyon
> >
> > On Wed, Feb 3, 2016 at 11:55 PM, Fabrice DURAND
> > <[email protected] <mailto:[email protected]>> wrote:
> >
> > You talked about netbios name, not dns name.
> >
> > In PacketFence, freeradius validate the machine name
> > (host/FMCART310-15.domain.com
> > <http://FMCART310-15.domain.com>) and in PacketFence side we
> > have to create
> > another authentication source with the user attribute
> > servicePrincipalName.
> >
> > Check in your AD for a machine account (Adsiedit.msc) in the
> > attribute
> > servicePrincipalName and you will see the complete dns name of
> > the machine.
> >
> > So the only limit is 64 characteres of the dns name.
> >
> > Regards
> > Fabrice
> >
> > Le 2016-02-03 10:16, Tedder, Eric a écrit :
> > > Fabrice,
> > >
> > > I am not certain how you get it to work after 15 characters,
> > but everything I read and have experienced with AD and
> > hostnames being longer than 14/15 characters is that they
> > don't authenticate because AD will truncate them.
> > >
> > > https://support.microsoft.com/en-us/kb/909264
> > > https://technet.microsoft.com/en-us/library/cc731383.aspx
> > >
> >
> https://supportforums.cisco.com/discussion/12299256/ise-admin-server-16-character-hostname
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Fabrice DURAND [mailto:[email protected]
> > <mailto:[email protected]>]
> > > Sent: Wednesday, February 03, 2016 9:17 AM
> > > To: [email protected]
> > <mailto:[email protected]>
> > > Subject: Re: [PacketFence-users] machine authentication
> > >
> > > There is no limit of 14 characters, i have machine auth with
> > more than
> > > 30 characters and there is no issue.
> > >
> > > Also did you checked that the client do machine auth ?
> > (windows supplicant)
> > >
> > > Regards
> > > Fabrice
> > >
> > > Le 2016-02-03 08:52, Tedder, Eric a écrit :
> > >> The one limitation that I have found with computer
> > authentication with
> > >> packet fence and Active directory is that the computer name
> > cannot
> > >> exceed 14 characters or it breaks.
> > >>
> > >>
> > >>
> > >> *From:*Reeyon Lim [mailto:[email protected]
> > <mailto:[email protected]>]
> > >> *Sent:* Tuesday, February 02, 2016 9:39 PM
> > >> *To:* [email protected]
> > <mailto:[email protected]>
> > >> *Subject:* Re: [PacketFence-users] machine authentication
> > >>
> > >>
> > >>
> > >> Hello Fabrice,
> > >>
> > >>
> > >>
> > >> Now i restarted the config from scratch.
> > >>
> > >>
> > >>
> > >> 0. wipe out existing parameters in vlan_filters.conf
> > >>
> > >> 1. Created AD-computer source, according to the
> > Administration Guide.
> > >>
> > >> 2. Map this source to 802.1x portal profile.
> > >>
> > >> 3. run raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600
> > >>
> > >> 4. I can't see any "host/xxxxxx" in debug, but I see
> > "domain\username"
> > >>
> > >>
> > >>
> > >> So I guess the computer is authenticating user credentials
> > instead of
> > >> machine auth.
> > >>
> > >>
> > >>
> > >> Anything that I've missed out?
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> Regards,
> > >>
> > >> Reeyon
> > >>
> > >>
> > >>
> > >> On Tue, Feb 2, 2016 at 10:53 PM, Fabrice DURAND
> > <[email protected] <mailto:[email protected]>
> > >> <mailto:[email protected] <mailto:[email protected]>>>
> wrote:
> > >>
> > >> Hello Reeyon,
> > >>
> > >> Le 2016-02-02 02:12, Reeyon Lim a écrit :
> > >>> Hello Everyone,
> > >>>
> > >>> Sorry for my multiples questions recently.
> > >> No problem , the mailling list is for that.
> > >>> I have been setting up a 802.1x authentication for the
> > lab, but i
> > >>> need to do more secure of 802.1x authentication where I found
> > >>> machine authentication in the Administration guide.
> > >>>
> > >>> Tried to follow every steps in the guide, but failed to
> > make it work.
> > >>> I do not find any logs in packetfence.log like
> > "host/xxxxxx", and pf
> > >>> just push the domain PC to RegistrationRole without
> > authentication.
> > >> Check first in the radius.log or run radius in debug mode
> > to see why
> > >> machine auth failed (raddebug -f
> > /usr/local/pf/var/run/radiusd.sock -t
> > >> 3000).
> > >> When you will be able to successfully authenticate machine in
> > >> freeradius then you will be able to see in packetfence.log
> > username
> > >> like host/xxxxxx
> > >>> I have 2 source lists: ad-user, and ad-computers These two
> > lists
> > >>> mapped to 802.1x portal profile.
> > >>>
> > >>> The objective here is to block any non-domain of BYOD to
> > be able to
> > >>> access the network, except domain machines and users.
> > >>>
> > >> Next you will have to deal with vlan filter to test if
> > machine auth
> > >> passed before user auth.
> > >>> Please help!
> > >>> Thank you.
> > >>>
> > >>> Regards,
> > >>> Reeyon
> > >>>
> > >>>
> > >> Regards
> > >> Fabrice
> > >>
> > >>>
> > >>
> >
> ----------------------------------------------------------------------
> > >> --------
> > >>> Site24x7 APM Insight: Get Deep Visibility into Application
> > >>> Performance APM + Mobile APM + RUM: Monitor 3 App
> > instances at just
> > >>> $35/Month Monitor end-to-end web transactions and take
> > corrective
> > >>> actions now Troubleshoot faster and improve end-user
> > experience. Signup Now!
> > >>>
> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> PacketFence-users mailing list
> > >>> [email protected]
> > <mailto:[email protected]>
> > >> <mailto:[email protected]
> > <mailto:[email protected]>>
> > >>>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > >>
> > >> --
> > >> Fabrice Durand
> > >> [email protected] <mailto:[email protected]>
> > <mailto:[email protected] <mailto:[email protected]>> ::
> > +1.514.447.4918 <tel:%2B1.514.447.4918>
> > >> <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
> > <http://www.inverse.ca>
> > >> <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo
> > >> (http://www.sogo.nu) and PacketFence (http://packetfence.org)
> > >>
> > >>
> > >>
> >
> ----------------------------------------------------------------------
> > >> --------
> > >> Site24x7 APM Insight: Get Deep Visibility into Application
> > Performance
> > >> APM + Mobile APM + RUM: Monitor 3 App instances at just
> > $35/Month
> > >> Monitor end-to-end web transactions and take corrective
> > actions now
> > >> Troubleshoot faster and improve end-user experience. Signup
> > Now!
> > >>
> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > >> _______________________________________________
> > >> PacketFence-users mailing list
> > >> [email protected]
> > <mailto:[email protected]>
> > >> <mailto:[email protected]
> > <mailto:[email protected]>>
> > >>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> >
> ----------------------------------------------------------------------
> > >> --------
> > >> Site24x7 APM Insight: Get Deep Visibility into Application
> > Performance
> > >> APM + Mobile APM + RUM: Monitor 3 App instances at just
> > $35/Month
> > >> Monitor end-to-end web transactions and take corrective
> > actions now
> > >> Troubleshoot faster and improve end-user experience. Signup
> > Now!
> > >>
> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > >>
> > >>
> > >> _______________________________________________
> > >> PacketFence-users mailing list
> > >> [email protected]
> > <mailto:[email protected]>
> > >>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > >
> > > --
> > > Fabrice Durand
> > > [email protected] <mailto:[email protected]> ::
> > +1.514.447.4918 <tel:%2B1.514.447.4918> (x135) ::
> > www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders
> > behind SOGo (http://www.sogo.nu) and PacketFence
> > (http://packetfence.org)
> > >
> > >
> > >
> >
>
> ------------------------------------------------------------------------------
> > > Site24x7 APM Insight: Get Deep Visibility into Application
> > Performance
> > > APM + Mobile APM + RUM: Monitor 3 App instances at just
> > $35/Month
> > > Monitor end-to-end web transactions and take corrective
> > actions now
> > > Troubleshoot faster and improve end-user experience. Signup
> Now!
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > > _______________________________________________
> > > PacketFence-users mailing list
> > > [email protected]
> > <mailto:[email protected]>
> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> > --
> > Fabrice Durand
> > [email protected] <mailto:[email protected]> ::
> > +1.514.447.4918 <tel:%2B1.514.447.4918> (x135) ::
> > www.inverse.ca <http://www.inverse.ca>
> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> > PacketFence (http://packetfence.org)
> >
> >
> >
>
> ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application
> > Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective
> > actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
