Hello Fabrice,
oh yeah .. it's working now with Ethernet LAN :-)
I have logout & login and to see user/computer authentication logs flowing.
how about wireless EAP? I tried with the following scripts but it seems
doesn't work.
[machine]
filter = node_info
attribute = machine_account
operator = defined
value = default
#
[ssidsecure]
filter = connection_type
operator = is
value = Wireless-802.11-EAP
#
[4:ssidsecure&machineauth]
scope = AutoRegister
role = machines
#
[5:ssidsecure&machineauth]
scope = NodeInfoForAutoReg
role = machines
#
[6:ssidsecure&!machine]
scope = RegisteredRole
role = refuse
Regards,
Reeyon
On Thu, Feb 11, 2016 at 10:18 AM, Reeyon Lim <[email protected]> wrote:
> Hello Fabrice,
>
> Thank you for the script, appreciate that :-)
>
> However, no matter how I try, the supplicant will always goes to user
> authentication first instead of computer authentication. In order to
> autoreg the computer, I did the following steps:
>
> 1. first my windows 7 take user authentication, although radius accepted,
> but pf present registration vlan
> 2. Then, manually force my win7 supplicant to "computer authentication" in
> 802.1x setting, and reconnect the port and pf starts to autoreg the machine
> 3. Lastly, revert back the 802.1x setting to "user or computer
> authentication", reconnect the port, pf autoreg without issue
>
> so if I unreg the node manually, I have to redo step 2 & 3 to autoreg the
> node.
> Thank you.
>
> Regards,
> Reeyon
>
>
> On Fri, Feb 5, 2016 at 11:56 PM, Fabrice DURAND <[email protected]>
> wrote:
>
>> Hello Reeyon,
>>
>> you can do something like that:
>>
>> First create a role machine and a role refuse.
>> In the switch config assign the role machine to a production vlan and
>> refuse to the vlan id -1.
>>
>> Next add to the vlan filter this:
>>
>> [EthernetEAP]
>> filter = connection_type
>> operator = is
>> value = Ethernet-EAP
>>
>> [machineauth]
>> filter = user_name
>> operator = regex
>> value = ^host\/
>>
>> [machine]
>> filter = node_info
>> attribute = machine_account
>> operator = defined
>> value = default
>>
>> #### Machine Auth Autoregister ####
>>
>> [1:EthernetEAP&machineauth]
>> scope = AutoRegister
>> role = machine
>>
>> [2:EthernetEAP&machineauth]
>> scope = NodeInfoForAutoReg
>> role = machine
>>
>> #### Refuse User Auth without machine Auth ####
>>
>> [3:EthernetEAP&!machine]
>> scope = RegisteredRole
>> role = refuse
>>
>> So if the first authentication is machine then packetfence will
>> autoregister it, next if the device do user auth then it will compute
>> the role in the authentication source you defined (Portal profile with
>> filter connection_type EthernetEAP and source AD User and AD Machine).
>> If the device try to authenticate directly without previously did
>> machine auth then it will be refuse.
>>
>> Btw if you want to forward the device to the registration vlan instead
>> of refusing it then replace the rule 3 with that:
>>
>> [3:EthernetEAP&!machine]
>> scope = RegisteredRole
>> role = registration
>> action = deregister_node
>> action_param = $mac
>>
>>
>> Regards
>> Fabrice
>>
>> Le 2016-02-04 22:17, Reeyon Lim a écrit :
>> > In addition, if any of the authorized user bring their personal device
>> > such as mobile/IPAD/tablet/laptops, because since they already have
>> > 802.1x AD account in the company, so that they can easily setup
>> > 802.1x settings themselves and access granted.
>> >
>> > Endpoint profiling/classification will have more flexibility and ease
>> > configuration.
>> > Something similar to this:
>> > PF detects any BYOD that aren't authorized, put them into registration.
>> >
>> > I have no idea how to deal with this objective, by using traditional
>> > 802.1x or WMI or Violation?
>> >
>> > I would prefer Violation, because it can operate dynamically by the
>> > design i guess. for example: PF detect domain computers, put them
>> > normal vlan, otherwise put them in Registration vlan.
>> > So how can I achieve this goal?
>> >
>> > Thank you.
>> >
>> > Regards,
>> > Reeyon
>> >
>> >
>> >
>> > On Thu, Feb 4, 2016 at 10:16 AM, Reeyon Lim <[email protected]
>> > <mailto:[email protected]>> wrote:
>> >
>> > Hello Fabrice,
>> >
>> > From the windows supplicant, by default "user and computer
>> > authentication" was chosen in 802.1x settings.
>> >
>> > Does PF provides other better solution for 802.1x authentication
>> > for BYOD?
>> >
>> > Regards,
>> > Reeyon
>> >
>> > On Wed, Feb 3, 2016 at 11:55 PM, Fabrice DURAND
>> > <[email protected] <mailto:[email protected]>> wrote:
>> >
>> > You talked about netbios name, not dns name.
>> >
>> > In PacketFence, freeradius validate the machine name
>> > (host/FMCART310-15.domain.com
>> > <http://FMCART310-15.domain.com>) and in PacketFence side we
>> > have to create
>> > another authentication source with the user attribute
>> > servicePrincipalName.
>> >
>> > Check in your AD for a machine account (Adsiedit.msc) in the
>> > attribute
>> > servicePrincipalName and you will see the complete dns name of
>> > the machine.
>> >
>> > So the only limit is 64 characteres of the dns name.
>> >
>> > Regards
>> > Fabrice
>> >
>> > Le 2016-02-03 10:16, Tedder, Eric a écrit :
>> > > Fabrice,
>> > >
>> > > I am not certain how you get it to work after 15 characters,
>> > but everything I read and have experienced with AD and
>> > hostnames being longer than 14/15 characters is that they
>> > don't authenticate because AD will truncate them.
>> > >
>> > > https://support.microsoft.com/en-us/kb/909264
>> > > https://technet.microsoft.com/en-us/library/cc731383.aspx
>> > >
>> >
>> https://supportforums.cisco.com/discussion/12299256/ise-admin-server-16-character-hostname
>> > >
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: Fabrice DURAND [mailto:[email protected]
>> > <mailto:[email protected]>]
>> > > Sent: Wednesday, February 03, 2016 9:17 AM
>> > > To: [email protected]
>> > <mailto:[email protected]>
>> > > Subject: Re: [PacketFence-users] machine authentication
>> > >
>> > > There is no limit of 14 characters, i have machine auth with
>> > more than
>> > > 30 characters and there is no issue.
>> > >
>> > > Also did you checked that the client do machine auth ?
>> > (windows supplicant)
>> > >
>> > > Regards
>> > > Fabrice
>> > >
>> > > Le 2016-02-03 08:52, Tedder, Eric a écrit :
>> > >> The one limitation that I have found with computer
>> > authentication with
>> > >> packet fence and Active directory is that the computer name
>> > cannot
>> > >> exceed 14 characters or it breaks.
>> > >>
>> > >>
>> > >>
>> > >> *From:*Reeyon Lim [mailto:[email protected]
>> > <mailto:[email protected]>]
>> > >> *Sent:* Tuesday, February 02, 2016 9:39 PM
>> > >> *To:* [email protected]
>> > <mailto:[email protected]>
>> > >> *Subject:* Re: [PacketFence-users] machine authentication
>> > >>
>> > >>
>> > >>
>> > >> Hello Fabrice,
>> > >>
>> > >>
>> > >>
>> > >> Now i restarted the config from scratch.
>> > >>
>> > >>
>> > >>
>> > >> 0. wipe out existing parameters in vlan_filters.conf
>> > >>
>> > >> 1. Created AD-computer source, according to the
>> > Administration Guide.
>> > >>
>> > >> 2. Map this source to 802.1x portal profile.
>> > >>
>> > >> 3. run raddebug -f /usr/local/pf/var/run/radiusd.sock -t
>> 3600
>> > >>
>> > >> 4. I can't see any "host/xxxxxx" in debug, but I see
>> > "domain\username"
>> > >>
>> > >>
>> > >>
>> > >> So I guess the computer is authenticating user credentials
>> > instead of
>> > >> machine auth.
>> > >>
>> > >>
>> > >>
>> > >> Anything that I've missed out?
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> Regards,
>> > >>
>> > >> Reeyon
>> > >>
>> > >>
>> > >>
>> > >> On Tue, Feb 2, 2016 at 10:53 PM, Fabrice DURAND
>> > <[email protected] <mailto:[email protected]>
>> > >> <mailto:[email protected] <mailto:[email protected]>>>
>> wrote:
>> > >>
>> > >> Hello Reeyon,
>> > >>
>> > >> Le 2016-02-02 02:12, Reeyon Lim a écrit :
>> > >>> Hello Everyone,
>> > >>>
>> > >>> Sorry for my multiples questions recently.
>> > >> No problem , the mailling list is for that.
>> > >>> I have been setting up a 802.1x authentication for the
>> > lab, but i
>> > >>> need to do more secure of 802.1x authentication where I
>> found
>> > >>> machine authentication in the Administration guide.
>> > >>>
>> > >>> Tried to follow every steps in the guide, but failed to
>> > make it work.
>> > >>> I do not find any logs in packetfence.log like
>> > "host/xxxxxx", and pf
>> > >>> just push the domain PC to RegistrationRole without
>> > authentication.
>> > >> Check first in the radius.log or run radius in debug mode
>> > to see why
>> > >> machine auth failed (raddebug -f
>> > /usr/local/pf/var/run/radiusd.sock -t
>> > >> 3000).
>> > >> When you will be able to successfully authenticate machine in
>> > >> freeradius then you will be able to see in packetfence.log
>> > username
>> > >> like host/xxxxxx
>> > >>> I have 2 source lists: ad-user, and ad-computers These two
>> > lists
>> > >>> mapped to 802.1x portal profile.
>> > >>>
>> > >>> The objective here is to block any non-domain of BYOD to
>> > be able to
>> > >>> access the network, except domain machines and users.
>> > >>>
>> > >> Next you will have to deal with vlan filter to test if
>> > machine auth
>> > >> passed before user auth.
>> > >>> Please help!
>> > >>> Thank you.
>> > >>>
>> > >>> Regards,
>> > >>> Reeyon
>> > >>>
>> > >>>
>> > >> Regards
>> > >> Fabrice
>> > >>
>> > >>>
>> > >>
>> >
>> ----------------------------------------------------------------------
>> > >> --------
>> > >>> Site24x7 APM Insight: Get Deep Visibility into Application
>> > >>> Performance APM + Mobile APM + RUM: Monitor 3 App
>> > instances at just
>> > >>> $35/Month Monitor end-to-end web transactions and take
>> > corrective
>> > >>> actions now Troubleshoot faster and improve end-user
>> > experience. Signup Now!
>> > >>>
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> > >>>
>> > >>>
>> > >>> _______________________________________________
>> > >>> PacketFence-users mailing list
>> > >>> [email protected]
>> > <mailto:[email protected]>
>> > >> <mailto:[email protected]
>> > <mailto:[email protected]>>
>> > >>>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> > >>
>> > >> --
>> > >> Fabrice Durand
>> > >> [email protected] <mailto:[email protected]>
>> > <mailto:[email protected] <mailto:[email protected]>> ::
>> > +1.514.447.4918 <tel:%2B1.514.447.4918>
>> > >> <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
>> > <http://www.inverse.ca>
>> > >> <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo
>> > >> (http://www.sogo.nu) and PacketFence (http://packetfence.org
>> )
>> > >>
>> > >>
>> > >>
>> >
>> ----------------------------------------------------------------------
>> > >> --------
>> > >> Site24x7 APM Insight: Get Deep Visibility into Application
>> > Performance
>> > >> APM + Mobile APM + RUM: Monitor 3 App instances at just
>> > $35/Month
>> > >> Monitor end-to-end web transactions and take corrective
>> > actions now
>> > >> Troubleshoot faster and improve end-user experience. Signup
>> > Now!
>> > >>
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> > >> _______________________________________________
>> > >> PacketFence-users mailing list
>> > >> [email protected]
>> > <mailto:[email protected]>
>> > >> <mailto:[email protected]
>> > <mailto:[email protected]>>
>> > >>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> >
>> ----------------------------------------------------------------------
>> > >> --------
>> > >> Site24x7 APM Insight: Get Deep Visibility into Application
>> > Performance
>> > >> APM + Mobile APM + RUM: Monitor 3 App instances at just
>> > $35/Month
>> > >> Monitor end-to-end web transactions and take corrective
>> > actions now
>> > >> Troubleshoot faster and improve end-user experience. Signup
>> > Now!
>> > >>
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> PacketFence-users mailing list
>> > >> [email protected]
>> > <mailto:[email protected]>
>> > >>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> > >
>> > > --
>> > > Fabrice Durand
>> > > [email protected] <mailto:[email protected]> ::
>> > +1.514.447.4918 <tel:%2B1.514.447.4918> (x135) ::
>> > www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders
>> > behind SOGo (http://www.sogo.nu) and PacketFence
>> > (http://packetfence.org)
>> > >
>> > >
>> > >
>> >
>>
>> ------------------------------------------------------------------------------
>> > > Site24x7 APM Insight: Get Deep Visibility into Application
>> > Performance
>> > > APM + Mobile APM + RUM: Monitor 3 App instances at just
>> > $35/Month
>> > > Monitor end-to-end web transactions and take corrective
>> > actions now
>> > > Troubleshoot faster and improve end-user experience. Signup
>> Now!
>> > >
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> > > _______________________________________________
>> > > PacketFence-users mailing list
>> > > [email protected]
>> > <mailto:[email protected]>
>> > >
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >
>> >
>> > --
>> > Fabrice Durand
>> > [email protected] <mailto:[email protected]> ::
>> > +1.514.447.4918 <tel:%2B1.514.447.4918> (x135) ::
>> > www.inverse.ca <http://www.inverse.ca>
>> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>> > PacketFence (http://packetfence.org)
>> >
>> >
>> >
>>
>> ------------------------------------------------------------------------------
>> > Site24x7 APM Insight: Get Deep Visibility into Application
>> > Performance
>> > APM + Mobile APM + RUM: Monitor 3 App instances at just
>> $35/Month
>> > Monitor end-to-end web transactions and take corrective
>> > actions now
>> > Troubleshoot faster and improve end-user experience. Signup Now!
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> > _______________________________________________
>> > PacketFence-users mailing list
>> > [email protected]
>> > <mailto:[email protected]>
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >
>> >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> > Monitor end-to-end web transactions and take corrective actions now
>> > Troubleshoot faster and improve end-user experience. Signup Now!
>> > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>> >
>> >
>> > _______________________________________________
>> > PacketFence-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice Durand
>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
