Hello Reeyon, under wireless do you have machine and user auth ?
Also it should work but you can change the connection_type filter by a ssid filter. Something like that: [ssidsecure] filter = ssid operator = is value = ssidsecure Regards Fabrice Le 2016-02-10 23:33, Reeyon Lim a écrit : > Hello Fabrice, > > oh yeah .. it's working now with Ethernet LAN :-) > I have logout & login and to see user/computer authentication logs > flowing. > > how about wireless EAP? I tried with the following scripts but it > seems doesn't work. > > [machine] > filter = node_info > attribute = machine_account > operator = defined > value = default > # > [ssidsecure] > filter = connection_type > operator = is > value = Wireless-802.11-EAP > # > [4:ssidsecure&machineauth] > scope = AutoRegister > role = machines > # > [5:ssidsecure&machineauth] > scope = NodeInfoForAutoReg > role = machines > # > [6:ssidsecure&!machine] > scope = RegisteredRole > role = refuse > > Regards, > Reeyon > > > On Thu, Feb 11, 2016 at 10:18 AM, Reeyon Lim <[email protected] > <mailto:[email protected]>> wrote: > > Hello Fabrice, > > Thank you for the script, appreciate that :-) > > However, no matter how I try, the supplicant will always goes to > user authentication first instead of computer authentication. In > order to autoreg the computer, I did the following steps: > > 1. first my windows 7 take user authentication, although radius > accepted, but pf present registration vlan > 2. Then, manually force my win7 supplicant to "computer > authentication" in 802.1x setting, and reconnect the port and pf > starts to autoreg the machine > 3. Lastly, revert back the 802.1x setting to "user or computer > authentication", reconnect the port, pf autoreg without issue > > so if I unreg the node manually, I have to redo step 2 & 3 to > autoreg the node. > Thank you. > > Regards, > Reeyon > > > On Fri, Feb 5, 2016 at 11:56 PM, Fabrice DURAND > <[email protected] <mailto:[email protected]>> wrote: > > Hello Reeyon, > > you can do something like that: > > First create a role machine and a role refuse. > In the switch config assign the role machine to a production > vlan and > refuse to the vlan id -1. > > Next add to the vlan filter this: > > [EthernetEAP] > filter = connection_type > operator = is > value = Ethernet-EAP > > [machineauth] > filter = user_name > operator = regex > value = ^host\/ > > [machine] > filter = node_info > attribute = machine_account > operator = defined > value = default > > #### Machine Auth Autoregister #### > > [1:EthernetEAP&machineauth] > scope = AutoRegister > role = machine > > [2:EthernetEAP&machineauth] > scope = NodeInfoForAutoReg > role = machine > > #### Refuse User Auth without machine Auth #### > > [3:EthernetEAP&!machine] > scope = RegisteredRole > role = refuse > > So if the first authentication is machine then packetfence will > autoregister it, next if the device do user auth then it will > compute > the role in the authentication source you defined (Portal > profile with > filter connection_type EthernetEAP and source AD User and AD > Machine). > If the device try to authenticate directly without previously did > machine auth then it will be refuse. > > Btw if you want to forward the device to the registration vlan > instead > of refusing it then replace the rule 3 with that: > > [3:EthernetEAP&!machine] > scope = RegisteredRole > role = registration > action = deregister_node > action_param = $mac > > > Regards > Fabrice > > Le 2016-02-04 22:17, Reeyon Lim a écrit : > > In addition, if any of the authorized user bring their > personal device > > such as mobile/IPAD/tablet/laptops, because since they > already have > > 802.1x AD account in the company, so that they can easily setup > > 802.1x settings themselves and access granted. > > > > Endpoint profiling/classification will have more flexibility > and ease > > configuration. > > Something similar to this: > > PF detects any BYOD that aren't authorized, put them into > registration. > > > > I have no idea how to deal with this objective, by using > traditional > > 802.1x or WMI or Violation? > > > > I would prefer Violation, because it can operate dynamically > by the > > design i guess. for example: PF detect domain computers, put > them > > normal vlan, otherwise put them in Registration vlan. > > So how can I achieve this goal? > > > > Thank you. > > > > Regards, > > Reeyon > > > > > > > > On Thu, Feb 4, 2016 at 10:16 AM, Reeyon Lim > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Hello Fabrice, > > > > From the windows supplicant, by default "user and computer > > authentication" was chosen in 802.1x settings. > > > > Does PF provides other better solution for 802.1x > authentication > > for BYOD? > > > > Regards, > > Reeyon > > > > On Wed, Feb 3, 2016 at 11:55 PM, Fabrice DURAND > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > You talked about netbios name, not dns name. > > > > In PacketFence, freeradius validate the machine name > > (host/FMCART310-15.domain.com > <http://FMCART310-15.domain.com> > > <http://FMCART310-15.domain.com>) and in PacketFence > side we > > have to create > > another authentication source with the user attribute > > servicePrincipalName. > > > > Check in your AD for a machine account > (Adsiedit.msc) in the > > attribute > > servicePrincipalName and you will see the complete > dns name of > > the machine. > > > > So the only limit is 64 characteres of the dns name. > > > > Regards > > Fabrice > > > > Le 2016-02-03 10:16, Tedder, Eric a écrit : > > > Fabrice, > > > > > > I am not certain how you get it to work after 15 > characters, > > but everything I read and have experienced with AD and > > hostnames being longer than 14/15 characters is that > they > > don't authenticate because AD will truncate them. > > > > > > https://support.microsoft.com/en-us/kb/909264 > > > > https://technet.microsoft.com/en-us/library/cc731383.aspx > > > > > > > https://supportforums.cisco.com/discussion/12299256/ise-admin-server-16-character-hostname > > > > > > > > > > > > -----Original Message----- > > > From: Fabrice DURAND [mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>] > > > Sent: Wednesday, February 03, 2016 9:17 AM > > > To: [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > Subject: Re: [PacketFence-users] machine > authentication > > > > > > There is no limit of 14 characters, i have machine > auth with > > more than > > > 30 characters and there is no issue. > > > > > > Also did you checked that the client do machine auth ? > > (windows supplicant) > > > > > > Regards > > > Fabrice > > > > > > Le 2016-02-03 08:52, Tedder, Eric a écrit : > > >> The one limitation that I have found with computer > > authentication with > > >> packet fence and Active directory is that the > computer name > > cannot > > >> exceed 14 characters or it breaks. > > >> > > >> > > >> > > >> *From:*Reeyon Lim [mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>] > > >> *Sent:* Tuesday, February 02, 2016 9:39 PM > > >> *To:* [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > >> *Subject:* Re: [PacketFence-users] machine authentication > > >> > > >> > > >> > > >> Hello Fabrice, > > >> > > >> > > >> > > >> Now i restarted the config from scratch. > > >> > > >> > > >> > > >> 0. wipe out existing parameters in vlan_filters.conf > > >> > > >> 1. Created AD-computer source, according to the > > Administration Guide. > > >> > > >> 2. Map this source to 802.1x portal profile. > > >> > > >> 3. run raddebug -f > /usr/local/pf/var/run/radiusd.sock -t 3600 > > >> > > >> 4. I can't see any "host/xxxxxx" in debug, but I see > > "domain\username" > > >> > > >> > > >> > > >> So I guess the computer is authenticating user > credentials > > instead of > > >> machine auth. > > >> > > >> > > >> > > >> Anything that I've missed out? > > >> > > >> > > >> > > >> > > >> > > >> Regards, > > >> > > >> Reeyon > > >> > > >> > > >> > > >> On Tue, Feb 2, 2016 at 10:53 PM, Fabrice DURAND > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > >> <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>>> wrote: > > >> > > >> Hello Reeyon, > > >> > > >> Le 2016-02-02 02:12, Reeyon Lim a écrit : > > >>> Hello Everyone, > > >>> > > >>> Sorry for my multiples questions recently. > > >> No problem , the mailling list is for that. > > >>> I have been setting up a 802.1x authentication > for the > > lab, but i > > >>> need to do more secure of 802.1x authentication > where I found > > >>> machine authentication in the Administration guide. > > >>> > > >>> Tried to follow every steps in the guide, but > failed to > > make it work. > > >>> I do not find any logs in packetfence.log like > > "host/xxxxxx", and pf > > >>> just push the domain PC to RegistrationRole without > > authentication. > > >> Check first in the radius.log or run radius in > debug mode > > to see why > > >> machine auth failed (raddebug -f > > /usr/local/pf/var/run/radiusd.sock -t > > >> 3000). > > >> When you will be able to successfully > authenticate machine in > > >> freeradius then you will be able to see in > packetfence.log > > username > > >> like host/xxxxxx > > >>> I have 2 source lists: ad-user, and ad-computers > These two > > lists > > >>> mapped to 802.1x portal profile. > > >>> > > >>> The objective here is to block any non-domain of > BYOD to > > be able to > > >>> access the network, except domain machines and > users. > > >>> > > >> Next you will have to deal with vlan filter to > test if > > machine auth > > >> passed before user auth. > > >>> Please help! > > >>> Thank you. > > >>> > > >>> Regards, > > >>> Reeyon > > >>> > > >>> > > >> Regards > > >> Fabrice > > >> > > >>> > > >> > > > > ---------------------------------------------------------------------- > > >> -------- > > >>> Site24x7 APM Insight: Get Deep Visibility into > Application > > >>> Performance APM + Mobile APM + RUM: Monitor 3 App > > instances at just > > >>> $35/Month Monitor end-to-end web transactions > and take > > corrective > > >>> actions now Troubleshoot faster and improve end-user > > experience. Signup Now! > > >>> > > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > >>> > > >>> > > >>> _______________________________________________ > > >>> PacketFence-users mailing list > > >>> [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > >> <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > >>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > >> > > >> -- > > >> Fabrice Durand > > >> [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> :: > > +1.514.447.4918 <tel:%2B1.514.447.4918> > <tel:%2B1.514.447.4918> > > >> <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca > <http://www.inverse.ca> > > <http://www.inverse.ca> > > >> <http://www.inverse.ca> Inverse inc. :: Leaders > behind SOGo > > >> (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > >> > > >> > > >> > > > > ---------------------------------------------------------------------- > > >> -------- > > >> Site24x7 APM Insight: Get Deep Visibility into > Application > > Performance > > >> APM + Mobile APM + RUM: Monitor 3 App instances > at just > > $35/Month > > >> Monitor end-to-end web transactions and take > corrective > > actions now > > >> Troubleshoot faster and improve end-user > experience. Signup > > Now! > > >> > > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > >> _______________________________________________ > > >> PacketFence-users mailing list > > >> [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > >> <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > >> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > >> > > >> > > >> > > >> > > >> > > >> > > > > ---------------------------------------------------------------------- > > >> -------- > > >> Site24x7 APM Insight: Get Deep Visibility into > Application > > Performance > > >> APM + Mobile APM + RUM: Monitor 3 App instances > at just > > $35/Month > > >> Monitor end-to-end web transactions and take > corrective > > actions now > > >> Troubleshoot faster and improve end-user > experience. Signup > > Now! > > >> > > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > >> > > >> > > >> _______________________________________________ > > >> PacketFence-users mailing list > > >> [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > >> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > -- > > > Fabrice Durand > > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> :: > > +1.514.447.4918 <tel:%2B1.514.447.4918> > <tel:%2B1.514.447.4918> (x135) :: > > www.inverse.ca <http://www.inverse.ca> > <http://www.inverse.ca> Inverse inc. :: Leaders > > behind SOGo (http://www.sogo.nu) and PacketFence > > (http://packetfence.org) > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Site24x7 APM Insight: Get Deep Visibility into > Application > > Performance > > > APM + Mobile APM + RUM: Monitor 3 App instances at > just > > $35/Month > > > Monitor end-to-end web transactions and take > corrective > > actions now > > > Troubleshoot faster and improve end-user > experience. Signup Now! > > > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > > _______________________________________________ > > > PacketFence-users mailing list > > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > -- > > Fabrice Durand > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> :: > > +1.514.447.4918 <tel:%2B1.514.447.4918> > <tel:%2B1.514.447.4918> (x135) :: > > www.inverse.ca <http://www.inverse.ca> > <http://www.inverse.ca> > > Inverse inc. :: Leaders behind SOGo > (http://www.sogo.nu) and > > PacketFence (http://packetfence.org) > > > > > > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into > Application > > Performance > > APM + Mobile APM + RUM: Monitor 3 App instances at > just $35/Month > > Monitor end-to-end web transactions and take corrective > > actions now > > Troubleshoot faster and improve end-user experience. > Signup Now! > > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application > Performance > > APM + Mobile APM + RUM: Monitor 3 App instances at just > $35/Month > > Monitor end-to-end web transactions and take corrective > actions now > > Troubleshoot faster and improve end-user experience. Signup Now! > > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > > > > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Fabrice Durand > [email protected] <mailto:[email protected]> :: > +1.514.447.4918 <tel:%2B1.514.447.4918> (x135) :: > www.inverse.ca <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application > Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective > actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
