Hello Luca,
For this case make sure the authentication type selected on the
supplicant is "User authentication or Machine authentication", make sure
both user and machine AD sources are enable on the connection profile.
This will allow for the machine to do MachineAuth when nobody is logged
in on the machine, and when a User logged in it will do User
authentication.
So during MachineAuth, the device will be assign to VLAN X -> Only AD,
when user logged in, the device will be assign to VLAN Y -> User VLAN.
Thanks
On 05/30/2017 04:17 AM, luca comes wrote:
hi Antoine,
thank you for your help. I tried with the new profile and I can do
machine authentication now. But I have a problem, at the first step I
do machine auth to put the hosts on a dedicated VLAN that can see only
active directory and nothing more. At this step the user can
authenticate on the machine or change AD password and so on. But when
the user is logged on I want put them on another VLAN based on the
role associated to the AD group? At the moment the user is
authenticated so I can see the node status registered to the user with
the correct role but no VLAN change is made. Is that possible?
Luca
Inviato da Outlook <http://aka.ms/weboutlook>
------------------------------------------------------------------------
*Da:* Antoine Amacher <[email protected]>
*Inviato:* lunedì 29 maggio 2017 17:55
*A:* [email protected]
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication
Hello Lucas,
To use MachineAuthentication, create an AD source like the one used
for your UserAuthentiction, replace the Username attribute:
"sAMAccountName" by "ServicePrincipalName". That will allow you to do
MachineAuthentication. Make sure to add this source on your connection
profile.
If the machine is in the domain with a valid machine account then it
will be able to authenticate.
To properly test MachineAuthentication, make sure that it is allowed
or enforced in the 802.1x supplicant configuration.
Thanks
On 05/29/2017 11:34 AM, luca comes wrote:
Hi Pedro,
yes I think so but I don't understand how to do this. I need to do a
new connection profile for it? At the moment I have only one
connection profile other than the default that take care of users.
I'm really confused.
Thanks
Luca
Inviato da Outlook <http://aka.ms/weboutlook>
------------------------------------------------------------------------
*Da:* Pedro Simões <[email protected]>
*Inviato:* lunedì 29 maggio 2017 17:06
*A:* [email protected]
*Oggetto:* Re: [PacketFence-users] mab+802.1x authentication
I think for that scenario you need to use machine authentication.
*From:*luca comes [mailto:[email protected]]
*Sent:* Monday, May 29, 2017 3:12 PM
*To:* [email protected]
*Subject:* [PacketFence-users] mab+802.1x authentication
Hi all,
I succesfully configured last release of PF with Cisco Catalyst 3750G
to perform 802.1x authentication over my AD Domain.
I'm studying the solution because the intention is to deploy it on
all my sites (more or less 15 sites and 1000 users). Actually the
server is located on our datacenter in out-of-band deployment and
locally on my test site I've configured registration and isolation
VLAN even if they are not used in 802.1x environment. The problem now
is that I need to permit AD authentication on PC's where credentials
are not in client's cache but at the begininning neither IP traffic
nor DHCP is permitted so users can't access the network. I thought
that a solution could be perform to factor authentication so at the
start of the process I could use MAB authentication and put them on
the registration VLAN opened to access the AD. But then I need to do
802.1x user authentication without pass through the registration
portal, is that possible? Is there a better way to deploy a solution
like that?
Thank you in advance
Luca
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] ::www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
