Hi Antoine,
I'm doing more tests but it's not so clear point 2. To match the new connection
profile I need to specify also a source other than the connection type filter?
In that case which type of source should I add? I want that clients not 802.1x
able or outside of my domain take a specific profile and put them on the
registration VLAN. At the moment I've created a new connection profile as you
suggested and configured the swithc to use mab after 802.1x timeout but the
clients are always registered and assigned to a role specified in another
connection profile.
Luca
Inviato da Outlook<http://aka.ms/weboutlook>
________________________________
Da: Antoine Amacher <aamac...@inverse.ca>
Inviato: mercoledì 31 maggio 2017 22:19
A: packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] mab+802.1x authentication
Hello Lucas,
1. I am pretty Windows does favor UserAuthentication if a User is logged in and
"User or Machine" is selected in the supplicant.
You could also setup the connection has UserAuth only, but then you lose your
Machine Authentication. Have a look in VLANfilters, there is a case example
where we want the endpoint to have a machine account before allowed
UserAuthentication. Which means every device matching this filter will have to
do Machine Auth first, then User Auth.
You could also reduce the timeout for 802.1x re-auth on the switch
configuration, which would foce a re-authentication from the device.
2. To force a profile to be used when the connection is MAB, simply add a
filter in the connection profile: 'Connection Type: WIRED_MAC_AUTH'.
Thanks
On 05/31/2017 03:24 AM, luca comes wrote:
Hi Antoine,
I then tried and machine auth is working fine. The main problem is that when a
user login it's not moved on the right VLAN. Debugging 802.1x requests on the
switch I can see that dot1x timeout and it scale on mab authentication. So I
have two questions:
1. Is there a way to force the client to send the user? I've configured it
with the option user or machine authentication. Could it be a client's bug? I'm
testing on a Windows 10 machine at the moment, I will try the same on a Windows
8 client;
2. When it switch on mab authentication it gets owner default and take a
profile (named Test at the moment) but I don't understnad how to associate the
profile associated to the mab auth;
Thanks
Luca
Inviato da Outlook<http://aka.ms/weboutlook>
________________________________
Da: Antoine Amacher <aamac...@inverse.ca><mailto:aamac...@inverse.ca>
Inviato: martedì 30 maggio 2017 15:39
A:
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Oggetto: Re: [PacketFence-users] mab+802.1x authentication
Hello Luca,
For this case make sure the authentication type selected on the supplicant is
"User authentication or Machine authentication", make sure both user and
machine AD sources are enable on the connection profile.
This will allow for the machine to do MachineAuth when nobody is logged in on
the machine, and when a User logged in it will do User authentication.
So during MachineAuth, the device will be assign to VLAN X -> Only AD, when
user logged in, the device will be assign to VLAN Y -> User VLAN.
Thanks
On 05/30/2017 04:17 AM, luca comes wrote:
hi Antoine,
thank you for your help. I tried with the new profile and I can do machine
authentication now. But I have a problem, at the first step I do machine auth
to put the hosts on a dedicated VLAN that can see only active directory and
nothing more. At this step the user can authenticate on the machine or change
AD password and so on. But when the user is logged on I want put them on
another VLAN based on the role associated to the AD group? At the moment the
user is authenticated so I can see the node status registered to the user with
the correct role but no VLAN change is made. Is that possible?
Luca
Inviato da Outlook<http://aka.ms/weboutlook>
________________________________
Da: Antoine Amacher <aamac...@inverse.ca><mailto:aamac...@inverse.ca>
Inviato: lunedì 29 maggio 2017 17:55
A:
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Oggetto: Re: [PacketFence-users] mab+802.1x authentication
Hello Lucas,
To use MachineAuthentication, create an AD source like the one used for your
UserAuthentiction, replace the Username attribute: "sAMAccountName" by
"ServicePrincipalName". That will allow you to do MachineAuthentication. Make
sure to add this source on your connection profile.
If the machine is in the domain with a valid machine account then it will be
able to authenticate.
To properly test MachineAuthentication, make sure that it is allowed or
enforced in the 802.1x supplicant configuration.
Thanks
On 05/29/2017 11:34 AM, luca comes wrote:
Hi Pedro,
yes I think so but I don't understand how to do this. I need to do a new
connection profile for it? At the moment I have only one connection profile
other than the default that take care of users. I'm really confused.
Thanks
Luca
Inviato da Outlook<http://aka.ms/weboutlook>
________________________________
Da: Pedro Simões <pedro.sim...@layer8.pt><mailto:pedro.sim...@layer8.pt>
Inviato: lunedì 29 maggio 2017 17:06
A:
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Oggetto: Re: [PacketFence-users] mab+802.1x authentication
I think for that scenario you need to use machine authentication.
From: luca comes [mailto:lucaco...@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To:
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: [PacketFence-users] mab+802.1x authentication
Hi all,
I succesfully configured last release of PF with Cisco Catalyst 3750G to
perform 802.1x authentication over my AD Domain.
I'm studying the solution because the intention is to deploy it on all my sites
(more or less 15 sites and 1000 users). Actually the server is located on our
datacenter in out-of-band deployment and locally on my test site I've
configured registration and isolation VLAN even if they are not used in 802.1x
environment. The problem now is that I need to permit AD authentication on PC's
where credentials are not in client's cache but at the begininning neither IP
traffic nor DHCP is permitted so users can't access the network. I thought that
a solution could be perform to factor authentication so at the start of the
process I could use MAB authentication and put them on the registration VLAN
opened to access the AD. But then I need to do 802.1x user authentication
without pass through the registration portal, is that possible? Is there a
better way to deploy a solution like that?
Thank you in advance
Luca
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
aamac...@inverse.ca<mailto:aamac...@inverse.ca> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
aamac...@inverse.ca<mailto:aamac...@inverse.ca> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
aamac...@inverse.ca<mailto:aamac...@inverse.ca> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
