Hello Fabrice,
It is perfect now :-)
Just realized that supplicant's server CA was causing the problem.
Btw, still stick with connection_type filter Wireless-802.11-EAP and
it is working.
Thank you.
Regards,
Reeyon
On Thu, Feb 11, 2016 at 9:48 PM, Fabrice DURAND <[email protected]
<mailto:[email protected]>> wrote:
Hello Reeyon,
under wireless do you have machine and user auth ?
Also it should work but you can change the connection_type filter by a
ssid filter.
Something like that:
[ssidsecure]
filter = ssid
operator = is
value = ssidsecure
Regards
Fabrice
Le 2016-02-10 23:33, Reeyon Lim a écrit :
> Hello Fabrice,
>
> oh yeah .. it's working now with Ethernet LAN :-)
> I have logout & login and to see user/computer authentication logs
> flowing.
>
> how about wireless EAP? I tried with the following scripts but it
> seems doesn't work.
>
> [machine]
> filter = node_info
> attribute = machine_account
> operator = defined
> value = default
> #
> [ssidsecure]
> filter = connection_type
> operator = is
> value = Wireless-802.11-EAP
> #
> [4:ssidsecure&machineauth]
> scope = AutoRegister
> role = machines
> #
> [5:ssidsecure&machineauth]
> scope = NodeInfoForAutoReg
> role = machines
> #
> [6:ssidsecure&!machine]
> scope = RegisteredRole
> role = refuse
>
> Regards,
> Reeyon
>
>
> On Thu, Feb 11, 2016 at 10:18 AM, Reeyon Lim
<[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>> wrote:
>
> Hello Fabrice,
>
> Thank you for the script, appreciate that :-)
>
> However, no matter how I try, the supplicant will always goes to
> user authentication first instead of computer authentication. In
> order to autoreg the computer, I did the following steps:
>
> 1. first my windows 7 take user authentication, although radius
> accepted, but pf present registration vlan
> 2. Then, manually force my win7 supplicant to "computer
> authentication" in 802.1x setting, and reconnect the port and pf
> starts to autoreg the machine
> 3. Lastly, revert back the 802.1x setting to "user or computer
> authentication", reconnect the port, pf autoreg without issue
>
> so if I unreg the node manually, I have to redo step 2 & 3 to
> autoreg the node.
> Thank you.
>
> Regards,
> Reeyon
>
>
> On Fri, Feb 5, 2016 at 11:56 PM, Fabrice DURAND
> <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
>
> Hello Reeyon,
>
> you can do something like that:
>
> First create a role machine and a role refuse.
> In the switch config assign the role machine to a production
> vlan and
> refuse to the vlan id -1.
>
> Next add to the vlan filter this:
>
> [EthernetEAP]
> filter = connection_type
> operator = is
> value = Ethernet-EAP
>
> [machineauth]
> filter = user_name
> operator = regex
> value = ^host\/
>
> [machine]
> filter = node_info
> attribute = machine_account
> operator = defined
> value = default
>
> #### Machine Auth Autoregister ####
>
> [1:EthernetEAP&machineauth]
> scope = AutoRegister
> role = machine
>
> [2:EthernetEAP&machineauth]
> scope = NodeInfoForAutoReg
> role = machine
>
> #### Refuse User Auth without machine Auth ####
>
> [3:EthernetEAP&!machine]
> scope = RegisteredRole
> role = refuse
>
> So if the first authentication is machine then
packetfence will
> autoregister it, next if the device do user auth then it
will
> compute
> the role in the authentication source you defined (Portal
> profile with
> filter connection_type EthernetEAP and source AD User and AD
> Machine).
> If the device try to authenticate directly without
previously did
> machine auth then it will be refuse.
>
> Btw if you want to forward the device to the
registration vlan
> instead
> of refusing it then replace the rule 3 with that:
>
> [3:EthernetEAP&!machine]
> scope = RegisteredRole
> role = registration
> action = deregister_node
> action_param = $mac
>
>
> Regards
> Fabrice
>
> Le 2016-02-04 22:17, Reeyon Lim a écrit :
> > In addition, if any of the authorized user bring their
> personal device
> > such as mobile/IPAD/tablet/laptops, because since they
> already have
> > 802.1x AD account in the company, so that they can
easily setup
> > 802.1x settings themselves and access granted.
> >
> > Endpoint profiling/classification will have more
flexibility
> and ease
> > configuration.
> > Something similar to this:
> > PF detects any BYOD that aren't authorized, put them into
> registration.
> >
> > I have no idea how to deal with this objective, by using
> traditional
> > 802.1x or WMI or Violation?
> >
> > I would prefer Violation, because it can operate
dynamically
> by the
> > design i guess. for example: PF detect domain
computers, put
> them
> > normal vlan, otherwise put them in Registration vlan.
> > So how can I achieve this goal?
> >
> > Thank you.
> >
> > Regards,
> > Reeyon
> >
> >
> >
> > On Thu, Feb 4, 2016 at 10:16 AM, Reeyon Lim
> <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
> > <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>> wrote:
> >
> > Hello Fabrice,
> >
> > From the windows supplicant, by default "user and
computer
> > authentication" was chosen in 802.1x settings.
> >
> > Does PF provides other better solution for 802.1x
> authentication
> > for BYOD?
> >
> > Regards,
> > Reeyon
> >
> > On Wed, Feb 3, 2016 at 11:55 PM, Fabrice DURAND
> > <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>> wrote:
> >
> > You talked about netbios name, not dns name.
> >
> > In PacketFence, freeradius validate the
machine name
> > (host/FMCART310-15.domain.com
<http://FMCART310-15.domain.com>
> <http://FMCART310-15.domain.com>
> > <http://FMCART310-15.domain.com>) and in
PacketFence
> side we
> > have to create
> > another authentication source with the user
attribute
> > servicePrincipalName.
> >
> > Check in your AD for a machine account
> (Adsiedit.msc) in the
> > attribute
> > servicePrincipalName and you will see the complete
> dns name of
> > the machine.
> >
> > So the only limit is 64 characteres of the dns
name.
> >
> > Regards
> > Fabrice
> >
> > Le 2016-02-03 10:16, Tedder, Eric a écrit :
> > > Fabrice,
> > >
> > > I am not certain how you get it to work after 15
> characters,
> > but everything I read and have experienced
with AD and
> > hostnames being longer than 14/15 characters
is that
> they
> > don't authenticate because AD will truncate them.
> > >
> > > https://support.microsoft.com/en-us/kb/909264
> > >
> https://technet.microsoft.com/en-us/library/cc731383.aspx
> > >
> >
>
https://supportforums.cisco.com/discussion/12299256/ise-admin-server-16-character-hostname
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Fabrice DURAND
[mailto:[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>]
> > > Sent: Wednesday, February 03, 2016 9:17 AM
> > > To: [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> >
<mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> > > Subject: Re: [PacketFence-users] machine
> authentication
> > >
> > > There is no limit of 14 characters, i have
machine
> auth with
> > more than
> > > 30 characters and there is no issue.
> > >
> > > Also did you checked that the client do
machine auth ?
> > (windows supplicant)
> > >
> > > Regards
> > > Fabrice
> > >
> > > Le 2016-02-03 08:52, Tedder, Eric a écrit :
> > >> The one limitation that I have found with
computer
> > authentication with
> > >> packet fence and Active directory is that the
> computer name
> > cannot
> > >> exceed 14 characters or it breaks.
> > >>
> > >>
> > >>
> > >> *From:*Reeyon Lim
[mailto:[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>>]
> > >> *Sent:* Tuesday, February 02, 2016 9:39 PM
> > >> *To:*
[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> >
<mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> > >> *Subject:* Re: [PacketFence-users] machine
authentication
> > >>
> > >>
> > >>
> > >> Hello Fabrice,
> > >>
> > >>
> > >>
> > >> Now i restarted the config from scratch.
> > >>
> > >>
> > >>
> > >> 0. wipe out existing parameters in
vlan_filters.conf
> > >>
> > >> 1. Created AD-computer source, according
to the
> > Administration Guide.
> > >>
> > >> 2. Map this source to 802.1x portal profile.
> > >>
> > >> 3. run raddebug -f
> /usr/local/pf/var/run/radiusd.sock -t 3600
> > >>
> > >> 4. I can't see any "host/xxxxxx" in debug,
but I see
> > "domain\username"
> > >>
> > >>
> > >>
> > >> So I guess the computer is authenticating user
> credentials
> > instead of
> > >> machine auth.
> > >>
> > >>
> > >>
> > >> Anything that I've missed out?
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> Regards,
> > >>
> > >> Reeyon
> > >>
> > >>
> > >>
> > >> On Tue, Feb 2, 2016 at 10:53 PM, Fabrice DURAND
> > <[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
> > >> <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected] <mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>>> wrote:
> > >>
> > >> Hello Reeyon,
> > >>
> > >> Le 2016-02-02 02:12, Reeyon Lim a écrit :
> > >>> Hello Everyone,
> > >>>
> > >>> Sorry for my multiples questions recently.
> > >> No problem , the mailling list is for that.
> > >>> I have been setting up a 802.1x authentication
> for the
> > lab, but i
> > >>> need to do more secure of 802.1x
authentication
> where I found
> > >>> machine authentication in the
Administration guide.
> > >>>
> > >>> Tried to follow every steps in the guide, but
> failed to
> > make it work.
> > >>> I do not find any logs in packetfence.log like
> > "host/xxxxxx", and pf
> > >>> just push the domain PC to
RegistrationRole without
> > authentication.
> > >> Check first in the radius.log or run radius in
> debug mode
> > to see why
> > >> machine auth failed (raddebug -f
> > /usr/local/pf/var/run/radiusd.sock -t
> > >> 3000).
> > >> When you will be able to successfully
> authenticate machine in
> > >> freeradius then you will be able to see in
> packetfence.log
> > username
> > >> like host/xxxxxx
> > >>> I have 2 source lists: ad-user, and
ad-computers
> These two
> > lists
> > >>> mapped to 802.1x portal profile.
> > >>>
> > >>> The objective here is to block any
non-domain of
> BYOD to
> > be able to
> > >>> access the network, except domain machines and
> users.
> > >>>
> > >> Next you will have to deal with vlan filter to
> test if
> > machine auth
> > >> passed before user auth.
> > >>> Please help!
> > >>> Thank you.
> > >>>
> > >>> Regards,
> > >>> Reeyon
> > >>>
> > >>>
> > >> Regards
> > >> Fabrice
> > >>
> > >>>
> > >>
> >
>
----------------------------------------------------------------------
> > >> --------
> > >>> Site24x7 APM Insight: Get Deep Visibility into
> Application
> > >>> Performance APM + Mobile APM + RUM:
Monitor 3 App
> > instances at just
> > >>> $35/Month Monitor end-to-end web transactions
> and take
> > corrective
> > >>> actions now Troubleshoot faster and
improve end-user
> > experience. Signup Now!
> > >>>
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > >>>
> > >>>
> > >>>
_______________________________________________
> > >>> PacketFence-users mailing list
> > >>> [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> >
<mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> > >>
<mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> >
<mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>>
> > >>>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > >>
> > >> --
> > >> Fabrice Durand
> > >> [email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
> > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>>> ::
> > +1.514.447.4918 <tel:%2B1.514.447.4918>
<tel:%2B1.514.447.4918> <tel:%2B1.514.447.4918>
> > >> <tel:%2B1.514.447.4918> (x135) ::
www.inverse.ca <http://www.inverse.ca>
> <http://www.inverse.ca>
> > <http://www.inverse.ca>
> > >> <http://www.inverse.ca> Inverse inc. :: Leaders
> behind SOGo
> > >> (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
> > >>
> > >>
> > >>
> >
>
----------------------------------------------------------------------
> > >> --------
> > >> Site24x7 APM Insight: Get Deep Visibility into
> Application
> > Performance
> > >> APM + Mobile APM + RUM: Monitor 3 App instances
> at just
> > $35/Month
> > >> Monitor end-to-end web transactions and take
> corrective
> > actions now
> > >> Troubleshoot faster and improve end-user
> experience. Signup
> > Now!
> > >>
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > >> _______________________________________________
> > >> PacketFence-users mailing list
> > >> [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> >
<mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> > >>
<mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> >
<mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>>
> > >>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> >
>
----------------------------------------------------------------------
> > >> --------
> > >> Site24x7 APM Insight: Get Deep Visibility into
> Application
> > Performance
> > >> APM + Mobile APM + RUM: Monitor 3 App instances
> at just
> > $35/Month
> > >> Monitor end-to-end web transactions and take
> corrective
> > actions now
> > >> Troubleshoot faster and improve end-user
> experience. Signup
> > Now!
> > >>
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > >>
> > >>
> > >> _______________________________________________
> > >> PacketFence-users mailing list
> > >> [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> >
<mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> > >>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > >
> > > --
> > > Fabrice Durand
> > > [email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> ::
> > +1.514.447.4918 <tel:%2B1.514.447.4918>
<tel:%2B1.514.447.4918>
> <tel:%2B1.514.447.4918> (x135) ::
> > www.inverse.ca <http://www.inverse.ca>
<http://www.inverse.ca>
> <http://www.inverse.ca> Inverse inc. :: Leaders
> > behind SOGo (http://www.sogo.nu) and PacketFence
> > (http://packetfence.org)
> > >
> > >
> > >
> >
------------------------------------------------------------------------------
> > > Site24x7 APM Insight: Get Deep Visibility into
> Application
> > Performance
> > > APM + Mobile APM + RUM: Monitor 3 App
instances at
> just
> > $35/Month
> > > Monitor end-to-end web transactions and take
> corrective
> > actions now
> > > Troubleshoot faster and improve end-user
> experience. Signup Now!
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > > _______________________________________________
> > > PacketFence-users mailing list
> > > [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> > >
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> > --
> > Fabrice Durand
> > [email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> ::
> > +1.514.447.4918 <tel:%2B1.514.447.4918>
<tel:%2B1.514.447.4918>
> <tel:%2B1.514.447.4918> (x135) ::
> > www.inverse.ca <http://www.inverse.ca>
<http://www.inverse.ca>
> <http://www.inverse.ca>
> > Inverse inc. :: Leaders behind SOGo
> (http://www.sogo.nu) and
> > PacketFence (http://packetfence.org)
> >
> >
> >
------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into
> Application
> > Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at
> just $35/Month
> > Monitor end-to-end web transactions and take
corrective
> > actions now
> > Troubleshoot faster and improve end-user
experience.
> Signup Now!
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> >
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> >
> >
> >
> >
>
------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application
> Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just
> $35/Month
> > Monitor end-to-end web transactions and take corrective
> actions now
> > Troubleshoot faster and improve end-user experience.
Signup Now!
> >
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> >
https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> [email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>> ::
> +1.514.447.4918 <tel:%2B1.514.447.4918> <tel:%2B1.514.447.4918>
(x135) ::
> www.inverse.ca <http://www.inverse.ca> <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> PacketFence (http://packetfence.org)
>
>
>
------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application
> Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just
$35/Month
> Monitor end-to-end web transactions and take corrective
> actions now
> Troubleshoot faster and improve end-user experience.
Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
>
>
------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application
Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
<mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918
<tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
