Hello Mourik,
it's completly normal, you have to think that winbind and ldap are
different.
When you join the packetfence server to the domain it mean that you can
do 802.1x peap auth but if you create an AD authentication source on
PacketFence then you can't do 802.1x (AD authentication source is ldap
and can be use for the portal).
But it doesn't mean than creating an AD source is useless, let take some
few examples.
1: You have an openssid and define a connection profile that match on
the ssid name and assign the AD source in this connection profile. So
when you will hit the portal you will AUTHENTICATE on the AD source with
your credentials and compute the rules to have the role and the
unregdate. (ldap bind)
2: You have a secure ssid and define a connection profile that match on
the ssid name and assign the AD source in this connection profile. So
when you will hit the portal you will compute the rules to have the role
and the unregdate. (ldap bind). In this case the AUTHENTICATION is made
in freeradius (winbind) and freeradius jusk ask packetfence for the vlan.
So what happen in your case is the example 2, freeradius authenticate
your user and host authentication but after that you have to define a
connection profile that match the ssid and add AD source (user and
machine) that will be able to compute the rule.
So per example create 2 AD sources, one for Machine auth (user
attribute: servicePrincipalName) and another one for user auth (user
attribute: sAMAccountName) then add them to you connection profile.
After that create your rules in the AD Source, like per example in the
AD machine source a rule catch_all that assign a role machine and an
access duration to 1 week and create a catch_all rule in AD user source
that return the REJECT role and an access duration to 1 hour.
So machine auth will work but user auth will be REJECT.
It's sometimes a little bit complex to understand but once you catch it
it will be trivial to configure.
Regards
Fabrice
Le 2017-07-11 à 08:58, mourik jan heupink a écrit :
Hi Fabrice,
Thanks for your answer!
On 07/11/2017 02:07 AM, Durand fabrice via PacketFence-users wrote:
When you start your computer , before login with your user account
the device authenticate with the machine account. (this is what you
configured on the device).
Yes, this I understand. And this is what I expect with usersource
CN=Computers,DC=ad,DC=company,DC=com and with username set to
servicePrincipalName
With that usersource, I would expect only machine account
authentications to work. But machines AND users (are in
CN=Users,...) both work.
It probably works because the machine auth worked on the first time
(i need logs to verify that).
But after the user logged on, the USER is authenticated, as can be
seen from the logs:
Jul 10 19:42:00 pf auth[1892]: (48) Login OK:
[host/P002507.ad.company.com] (from client a.b.c.248 port 134 cli
2c:41:38:90:68:8f via TLS tunnel)
Jul 10 19:42:00 pf auth[1892]: (49) Login OK:
[host/P002507.ad.company.com] (from client a.b.c.248 port 134 cli
2c:41:38:90:68:8f)
Jul 10 19:42:13 pf auth[1892]: rlm_rest (rest): Closing connection
(6): Hit idle_timeout, was idle for 71 seconds
Jul 10 19:42:13 pf auth[1892]: Need 1 more connections to reach min
connections (3)
Jul 10 19:42:13 pf auth[1892]: rlm_rest (rest): Opening additional
connection (8), 1 of 62 pending slots used
Jul 10 19:42:13 pf auth[1892]: rlm_sql (sql): Closing connection (8):
Hit idle_timeout, was idle for 71 seconds
Jul 10 19:42:13 pf auth[1892]: Need 1 more connections to reach min
connections (3)
Jul 10 19:42:13 pf auth[1892]: rlm_sql (sql): Opening additional
connection (10), 1 of 62 pending slots used
Jul 10 19:42:13 pf auth[1892]: (58) Login OK: [DOMAIN\username]
(from client a.b.c.248 port 134 cli 2c:41:38:90:68:8f via TLS tunnel)
Jul 10 19:42:13 pf auth[1892]: (59) Login OK: [DOMAIN\username] (from
client a.b.c.248 port 134 cli 2c:41:38:90:68:8f)
So packetfence seems to be able to authenticate both users and
machines. (both pacetfence and the workstation have been rebooted)
I need to check the config you did. (profiles.conf, authentication.conf)
I will provide them below, though I don't see how the contents of
profiles.conf is relevant..?
Curious to your findings!
root@pf:/usr/local/pf/conf# cat profiles.conf
#
# Copyright (C) 2005-2017 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
logo=/common/packetfence.jpg
redirecturl=https://www.company.com
always_use_redirecturl=enabled
login_attempt_limit=5
sources=company-ad-users,email
access_registration_when_registered=enabled
#
# Copyright (C) 2005-2017 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
root@pf:/usr/local/pf/conf# cat authentication.conf
[local]
description=Local Users
dynamic_routing_module=AuthModule
type=SQL
stripped_user_name=yes
[file1]
description=Legacy Source
dynamic_routing_module=AuthModule
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
stripped_user_name=yes
[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL
[email]
description=Email-based registration
email_activation_timeout=20m
allow_localdomain=yes
dynamic_routing_module=AuthModule
type=Email
create_local_account=no
[email rule company]
description=email ends company.com
class=authentication
match=any
action0=set_role=company
action1=set_access_duration=1Y
condition0=user_email,ends,company.com
[email rule university]
description=university
class=authentication
match=any
action0=set_role=university
action1=set_access_duration=1Y
condition0=user_email,ends,university.nl
condition1=user_email,ends,uni.nl
[email rule catchall]
description=anyone, 1 month wifi access
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1M
[sponsor]
description=Sponsor-based registration
type=SponsorEmail
create_local_account=no
dynamic_routing_module=AuthModule
allow_localdomain=yes
email_activation_timeout=30m
[sponsor rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[null]
description=Null Source
dynamic_routing_module=AuthModule
type=Null
email_required=no
[null rule catchall]
description=catchall
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[company-ad-users]
description=samba4 ad users (via haproxy)
type=AD
scope=one
usernameattribute=sAMAccountName
stripped_user_name=yes
email_attribute=mail
dynamic_routing_module=AuthModule
binddn=cn=search,cn=users,dc=samba,dc=company,DC=com
basedn=CN=Users,DC=samba,DC=company,DC=com
password=secretsecret
connection_timeout=5
host=127.0.0.1
port=636
encryption=ssl
[company-ad-users rule domain_admins_administration]
description=set webadmin access level
class=administration
match=any
action0=set_access_level=ALL
condition0=memberOf,equals,CN=Domain
Admins,CN=Users,DC=samba,DC=company,DC=com
[company-ad-users rule domain_admins_authentication]
description=10 jaar, en set role
class=authentication
match=any
action0=set_access_duration=10Y
action1=set_role=unu_company_domain_admins
condition0=memberOf,equals,CN=Domain
Admins,CN=Users,DC=samba,DC=company,DC=com
[company-ad-users rule domain_users]
description=company domain users
class=authentication
match=all
action0=set_role=unu_company_domain_users
action1=set_access_duration=1Y
[company-ad-computers]
description=samba4 ad computers (via haproxy)
type=AD
scope=one
usernameattribute=servicePrincipalName
stripped_user_name=yes
email_attribute=mail
dynamic_routing_module=AuthModule
binddn=cn=search,cn=users,dc=samba,dc=company,DC=com
basedn=CN=Computers,DC=samba,DC=company,DC=com
password=secretsecret
connection_timeout=5
host=127.0.0.1
port=636
encryption=ssl
Curious to your comments :-)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
