Hi Antoine,
Thank you for responding.
So I have a source for machine authentication which uses
servicePrincipalName.
I find the instructions unclear for configuring the realm - I have a
default realm which references my machine authentication source, but with
nothing in the Domain field. I am following option 1b in the admin guide so
I haven't run the migrate.pl task, but rather joined to the domain using
Samba. Is this not correct?
On 6 February 2017 at 16:40, Antoine Amacher <[email protected]> wrote:
> Hello Philip
>
> You are trying to do Machine Authentication, make sure the "Username
> Attribute" you are looking for in your AD source is
> servicePrincipalName(machine auth) and not sAMAccountName(user auth).
>
> Also make sure your realm are configured.
> Let us know if that help.
>
> Thanks
>
> On 02/06/2017 10:22 AM, Philip Damian-Grint wrote:
>
> Hello mailing list,
>
> Running Packetfence 6.4.0-1 on Centos 7.3.1611
> Test switch is Cisco 2960 running 15.0(1)SE3
>
> I have joined the server to our AD domain
> net ads testjoin returns "Join is OK"
> I have enabled winbind, and ntlm_auth successfully authenticates domain
> users.
> I have issued a certificate from our AD PKI to the PF server, and also
> copied the CA cert into a separate eap-tls folder as suggested, then
> updated eap.conf - radiusd seems to be happy with it.
>
> I am trying to get dot1x *wired* machine authentication working for
> domain-joined machines.
>
> When I connect a domain-joined computer to a dot1x port the radiusd log
> shows:
> mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'
>
> I have seen elsewhere in the mailing lists a few responses by Louis Munro
> around troubleshooting this with ntlm_auth, and certainly running ntlm_auth
> with the challenge and response shown in the log is giving me the same
> error.
>
> Not sure to go with this - I think I probably don't understand my options
> on machine authentication
> in terms of certificate vs machine account/password, and therefore have an
> incomplete config.
>
> Would anyone be able to nudge me a little further along? I think I would
> like authentication by certificate for domain-joined machines to work,
> unless you can recommend otherwise.
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Antoine [email protected] :: www.inverse.ca +1.514.447.4918 x130
> <(514)%20447-4918> :: +1 (866) 353-6153 x130 <(866)%20353-6153>
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
