Hello Jason,
Le 2017-11-21 à 23:40, Jason Sloan a écrit : > Fabrice, > > Totally understand being busy. Thanks for the reply. I was actually > able to get this working a few hours ago, and hadn't had time to post > a reply. I'm not sure what did it, perhaps adding "strip" to the realm > options because the radius stripped name for hosts is host/<FQDN> - > this likely accomplishes the same thing that you suggested but in a > different manner. To be completely clear I couldn't find a normalize > option but I did see: "RADIUS machine auth with username - Use the > RADIUS username instead of the TLS certificate common name when doing > machine authentication." Just to verify, this is the option you are > suggesting, correct? > Yes this is the option, it will use the attribute User-Name (host/DESKTOP-6U152VD.mydomain.local) instead of the attribute TLS-Client-Cert-Common-Name (DESKTOP-6U152VD.mydomain.local) , so User-Name will match with the AD attribute servicePrincipalName. Also / is not considered as a separator of a REALM in Freeradius so i am not sure that strip fixed the issue. > One other thing I noticed in the authentication request is the REALM > is coming up as "NULL." Is this normal for RADIUS authenticated EAP-TLS? For machine authentication, yes this is normal but i think it should be possible to do a hack like we did in PacketFence Multidomain. When the username is host/DESKTOP-6U152VD.mydomain.local then set the realm as mydomain.local and try to authenticate on the sources where mydomain.local is defined. > > Much of the info I was reading from the listserv also had included > adding source or sources to the realm, this is not available in the > GUI, is this a .conf feature only or a feature of PF 6.x that was > deprecated? Now in PacketFence you defined in the source the realm associated, before it was in the realm configuration where you defined the only source associated. > > Thanks, > -Jason Regards Fabrice -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
