Re: [PacketFence-users] Wired Domain-Joined Machine Authentication

Mon, 06 Feb 2017 08:45:12 -0800 

Hello Philip
You are trying to do Machine Authentication, make sure the "Username Attribute" you are looking for in your AD source is servicePrincipalName(machine auth) and not sAMAccountName(user auth). 

Also make sure your realm are configured.

Let us know if that help.

Thanks

On 02/06/2017 10:22 AM, Philip Damian-Grint wrote:

Hello mailing list,

Running Packetfence 6.4.0-1 on Centos 7.3.1611
Test switch is Cisco 2960 running 15.0(1)SE3

I have joined the server to our AD domain
net ads testjoin returns "Join is OK"

I have enabled winbind, and ntlm_auth successfully authenticates 
domain users.
I have issued a certificate from our AD PKI to the PF server, and also 
copied the CA cert into a separate eap-tls folder as suggested, then 
updated eap.conf - radiusd seems to be happy with it.



I am trying to get dot1x *wired* machine authentication working for 
domain-joined machines.



When I connect a domain-joined computer to a dot1x port the radiusd 
log shows:

mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'


I have seen elsewhere in the mailing lists a few responses by Louis 
Munro around troubleshooting this with ntlm_auth, and certainly 
running ntlm_auth with the challenge and response shown in the log is 
giving me the same error.



Not sure to go with this - I think I probably don't understand my 
options on machine authentication
in terms of certificate vs machine account/password, and therefore 
have an incomplete config.



Would anyone be able to nudge me a little further along? I think I 
would like authentication by certificate for domain-joined machines to 
work, unless you can recommend otherwise.





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
[email protected]  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to