Philip,
Successful authentication =/= registration. Try to define a specific
portal profile for user which connect via MachineAuth and check the box
"Automatically register devices" on this portal profile. You could also
add an AutoRegister filter via the VLAN filter, example are provided in
the vlan_filter.example
Thanks
On 02/08/2017 11:54 AM, Philip Damian-Grint wrote:
Hi Antoine,
I reinstalled with PF 6.5.0-1, joined the server to AD, and machine
authentication now works for a domain-joined PC. The only problem is
that after a successful authentication, PF always places the port into
the registration VLAN. It seems to ignore all sources, realms etc, and
only look at the registration role on the switch itself. Is there
something different I need to do for this release?
On 6 February 2017 at 18:30, Antoine Amacher <[email protected]
<mailto:[email protected]>> wrote:
Philip,
If you joined the domain via realm or samba from the CLI, there is
a configuration issue to handle machine authentication. It is
fixed in 6.5, running the migrate.pl <http://migrate.pl> should
fix your issue.
Thanks
On 02/06/2017 12:21 PM, Philip Damian-Grint wrote:
Hi Antoine,
Thank you for responding.
So I have a source for machine authentication which uses
servicePrincipalName.
I find the instructions unclear for configuring the realm - I
have a default realm which references my machine authentication
source, but with nothing in the Domain field. I am following
option 1b in the admin guide so I haven't run the migrate.pl
<http://migrate.pl> task, but rather joined to the domain using
Samba. Is this not correct?
On 6 February 2017 at 16:40, Antoine Amacher <[email protected]
<mailto:[email protected]>> wrote:
Hello Philip
You are trying to do Machine Authentication, make sure the
"Username Attribute" you are looking for in your AD source is
servicePrincipalName(machine auth) and not
sAMAccountName(user auth).
Also make sure your realm are configured.
Let us know if that help.
Thanks
On 02/06/2017 10:22 AM, Philip Damian-Grint wrote:
Hello mailing list,
Running Packetfence 6.4.0-1 on Centos 7.3.1611
Test switch is Cisco 2960 running 15.0(1)SE3
I have joined the server to our AD domain
net ads testjoin returns "Join is OK"
I have enabled winbind, and ntlm_auth successfully
authenticates domain users.
I have issued a certificate from our AD PKI to the PF
server, and also copied the CA cert into a separate eap-tls
folder as suggested, then updated eap.conf - radiusd seems
to be happy with it.
I am trying to get dot1x *wired* machine authentication
working for domain-joined machines.
When I connect a domain-joined computer to a dot1x port the
radiusd log shows:
mschap: Program returned code (1) and output 'Logon failure
(0xc000006d)'
I have seen elsewhere in the mailing lists a few responses
by Louis Munro around troubleshooting this with ntlm_auth,
and certainly running ntlm_auth with the challenge and
response shown in the log is giving me the same error.
Not sure to go with this - I think I probably don't
understand my options on machine authentication
in terms of certificate vs machine account/password, and
therefore have an incomplete config.
Would anyone be able to nudge me a little further along? I
think I would like authentication by certificate for
domain-joined machines to work, unless you can recommend
otherwise.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Antoine Amacher
[email protected] <mailto:[email protected]> ::www.inverse.ca <http://www.inverse.ca>
+1.514.447.4918 x130 <tel:%28514%29%20447-4918> ::+1 (866) 353-6153 x130 <tel:%28866%29%20353-6153>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and
PacketFence (www.packetfence.org <http://www.packetfence.org>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's
most engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
--
Antoine Amacher
[email protected] <mailto:[email protected]> ::www.inverse.ca <http://www.inverse.ca>
+1.514.447.4918 x130 <tel:%28514%29%20447-4918> ::+1 (866) 353-6153 x130 <tel:%28866%29%20353-6153>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and
PacketFence (www.packetfence.org <http://www.packetfence.org>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ PacketFence-users
mailing list [email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
