Hi Antoine,
VLAN filter does the job nicely!
Thanks also for clarifying authentication vs registration.
On 8 February 2017 at 18:31, Antoine Amacher <[email protected]> wrote:
> Philip,
>
> Successful authentication =/= registration. Try to define a specific
> portal profile for user which connect via MachineAuth and check the box
> "Automatically register devices" on this portal profile. You could also add
> an AutoRegister filter via the VLAN filter, example are provided in the
> vlan_filter.example
>
> Thanks
>
> On 02/08/2017 11:54 AM, Philip Damian-Grint wrote:
>
> Hi Antoine,
>
> I reinstalled with PF 6.5.0-1, joined the server to AD, and machine
> authentication now works for a domain-joined PC. The only problem is that
> after a successful authentication, PF always places the port into the
> registration VLAN. It seems to ignore all sources, realms etc, and only
> look at the registration role on the switch itself. Is there something
> different I need to do for this release?
>
>
>
> On 6 February 2017 at 18:30, Antoine Amacher <[email protected]> wrote:
>
>> Philip,
>>
>> If you joined the domain via realm or samba from the CLI, there is a
>> configuration issue to handle machine authentication. It is fixed in 6.5,
>> running the migrate.pl should fix your issue.
>>
>> Thanks
>>
>> On 02/06/2017 12:21 PM, Philip Damian-Grint wrote:
>>
>> Hi Antoine,
>>
>> Thank you for responding.
>>
>> So I have a source for machine authentication which uses
>> servicePrincipalName.
>> I find the instructions unclear for configuring the realm - I have a
>> default realm which references my machine authentication source, but with
>> nothing in the Domain field. I am following option 1b in the admin guide so
>> I haven't run the migrate.pl task, but rather joined to the domain using
>> Samba. Is this not correct?
>>
>>
>>
>>
>> On 6 February 2017 at 16:40, Antoine Amacher <[email protected]> wrote:
>>
>>> Hello Philip
>>>
>>> You are trying to do Machine Authentication, make sure the "Username
>>> Attribute" you are looking for in your AD source is
>>> servicePrincipalName(machine auth) and not sAMAccountName(user auth).
>>>
>>> Also make sure your realm are configured.
>>> Let us know if that help.
>>>
>>> Thanks
>>>
>>> On 02/06/2017 10:22 AM, Philip Damian-Grint wrote:
>>>
>>> Hello mailing list,
>>>
>>> Running Packetfence 6.4.0-1 on Centos 7.3.1611
>>> Test switch is Cisco 2960 running 15.0(1)SE3
>>>
>>> I have joined the server to our AD domain
>>> net ads testjoin returns "Join is OK"
>>> I have enabled winbind, and ntlm_auth successfully authenticates domain
>>> users.
>>> I have issued a certificate from our AD PKI to the PF server, and also
>>> copied the CA cert into a separate eap-tls folder as suggested, then
>>> updated eap.conf - radiusd seems to be happy with it.
>>>
>>> I am trying to get dot1x *wired* machine authentication working for
>>> domain-joined machines.
>>>
>>> When I connect a domain-joined computer to a dot1x port the radiusd log
>>> shows:
>>> mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'
>>>
>>> I have seen elsewhere in the mailing lists a few responses by Louis
>>> Munro around troubleshooting this with ntlm_auth, and certainly running
>>> ntlm_auth with the challenge and response shown in the log is giving me the
>>> same error.
>>>
>>> Not sure to go with this - I think I probably don't understand my
>>> options on machine authentication
>>> in terms of certificate vs machine account/password, and therefore have
>>> an incomplete config.
>>>
>>> Would anyone be able to nudge me a little further along? I think I would
>>> like authentication by certificate for domain-joined machines to work,
>>> unless you can recommend otherwise.
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>> --
>>> Antoine [email protected] :: www.inverse.ca +1.514.447.4918 x130
>>> <%28514%29%20447-4918> :: +1 (866) 353-6153 x130 <%28866%29%20353-6153>
>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
>>> (www.packetfence.org)
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most engaging
>>> tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________ PacketFence-users
>>> mailing list [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Antoine [email protected] :: www.inverse.ca +1.514.447.4918 x130
>> <%28514%29%20447-4918> :: +1 (866) 353-6153 x130 <%28866%29%20353-6153>
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
>> (www.packetfence.org)
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most engaging
>> tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________ PacketFence-users
>> mailing list [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Antoine [email protected] :: www.inverse.ca +1.514.447.4918 x130
> <(514)%20447-4918> :: +1 (866) 353-6153 x130 <(866)%20353-6153>
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
