Philip,
If you joined the domain via realm or samba from the CLI, there is a
configuration issue to handle machine authentication. It is fixed in
6.5, running the migrate.pl should fix your issue.
Thanks
On 02/06/2017 12:21 PM, Philip Damian-Grint wrote:
Hi Antoine,
Thank you for responding.
So I have a source for machine authentication which uses
servicePrincipalName.
I find the instructions unclear for configuring the realm - I have a
default realm which references my machine authentication source, but
with nothing in the Domain field. I am following option 1b in the
admin guide so I haven't run the migrate.pl <http://migrate.pl> task,
but rather joined to the domain using Samba. Is this not correct?
On 6 February 2017 at 16:40, Antoine Amacher <[email protected]
<mailto:[email protected]>> wrote:
Hello Philip
You are trying to do Machine Authentication, make sure the
"Username Attribute" you are looking for in your AD source is
servicePrincipalName(machine auth) and not sAMAccountName(user auth).
Also make sure your realm are configured.
Let us know if that help.
Thanks
On 02/06/2017 10:22 AM, Philip Damian-Grint wrote:
Hello mailing list,
Running Packetfence 6.4.0-1 on Centos 7.3.1611
Test switch is Cisco 2960 running 15.0(1)SE3
I have joined the server to our AD domain
net ads testjoin returns "Join is OK"
I have enabled winbind, and ntlm_auth successfully authenticates
domain users.
I have issued a certificate from our AD PKI to the PF server, and
also copied the CA cert into a separate eap-tls folder as
suggested, then updated eap.conf - radiusd seems to be happy with it.
I am trying to get dot1x *wired* machine authentication working
for domain-joined machines.
When I connect a domain-joined computer to a dot1x port the
radiusd log shows:
mschap: Program returned code (1) and output 'Logon failure
(0xc000006d)'
I have seen elsewhere in the mailing lists a few responses by
Louis Munro around troubleshooting this with ntlm_auth, and
certainly running ntlm_auth with the challenge and response shown
in the log is giving me the same error.
Not sure to go with this - I think I probably don't understand my
options on machine authentication
in terms of certificate vs machine account/password, and
therefore have an incomplete config.
Would anyone be able to nudge me a little further along? I think
I would like authentication by certificate for domain-joined
machines to work, unless you can recommend otherwise.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Antoine Amacher
[email protected] <mailto:[email protected]> ::www.inverse.ca <http://www.inverse.ca>
+1.514.447.4918 x130 <tel:%28514%29%20447-4918> ::+1 (866) 353-6153 x130 <tel:%28866%29%20353-6153>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and
PacketFence (www.packetfence.org <http://www.packetfence.org>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ PacketFence-users
mailing list [email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
