Re: [PacketFence-users] Assistance with AD dot1x

[E.P. via PacketFence-users]

This is great, thank you, Fabrice !

I may be special or spellbound to all sort of bumps on the deployment road but 
nothing works to me from the first time.

Now my realm associated with AD works nicely.

 

Eugene

 

 

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Monday, January 08, 2018 6:49 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Assistance with AD dot1x

 

Hello All,

just to clarify some points.

First realmd can't be used because we have to use ntlm_auth in Freeradius to 
authenticate user for eap/peap mschap v2.

Next, Configuration → Policies and Access Control → Domains → Active Directory 
Domains – Add Domain is only to join the machine to a windows domain (it create 
a chroot for each domains).

Configuration → Policies and Access Control → Domains → Realms is to associate 
a realm to a windows domain, it mean that if the username is b...@acme.edu then 
if there is a realm define for acme.edu then it will use the domain associated 
to it to validate the credentials (In Freeradius).

Don't forget that the username can be ACME\bob , so you will need to create a 
realm ACME too.

Last thing, in Configuration → Policies and Access Control → Authentication 
Sources (Type Internal) when you define a realm associated to a source (like 
acme.edu)  then it mean that if you use on the portal or for 802.1x auto 
registration a username like b...@acme.edu then PacketFence will use it (you 
can strip the username if needed in the source).

Regards
Fabrice

Le 2018-01-07 à 19:32, E.P. via PacketFence-users a écrit :

I’m curious, did you create a new realm or used the default one and linked it 
to AD ?

I tried to create a new realm and it is placed in the end of the list and the 
authentication never reached it.

It only worked to me if I link the default realm to AD

 

Eugene

 

From: j...@momentumvr.co.uk [mailto:j...@momentumvr.co.uk] 
Sent: Sunday, January 07, 2018 5:18 AM
To: 'E.P.'; packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] Assistance with AD dot1x

 

Thanks for that Eugene, I will take a look at that log tomorrow morning. The 
issue is when we try to add the domain via domains>active directory domains>add 
domain. Strangely connecting via realmd works without issue every time.

 

John

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: 05 January 2018 19:32
To: packetfence-users@lists.sourceforge.net
Cc: j...@momentumvr.co.uk
Subject: RE: [PacketFence-users] Assistance with AD dot1x

 

Hi John,

I still have a fresh experience with configuring AD in PF and it worked to me 
from the first try.

Just to understand it clearly, you can’t complete the configuration if you add 
the source, i.e.

>From the Configuration → Policies and Access Control → Authentication Sources, 
>Add source → Internal - AD.

Or it is failing on adding the domain, i.e. 

Configuration → Policies and Access Control → Domains → Active Directory 
Domains – Add Domain

 

And of course, as it is stated in the admin guide I’d go chechking this file 
for any clues:

 

/chroots/<mydomain>/var/log/samba<mydomain>/log.winbindd. Replace <mydomain> 
with the identifier you set in the domain configuration.

 

Eugene

 

From: john--- via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Friday, January 05, 2018 5:00 AM
To: packetfence-users@lists.sourceforge.net
Cc: j...@momentumvr.co.uk
Subject: [PacketFence-users] Assistance with AD dot1x

 

Good afternoon everyone,

 

We are currently working with PF7.3 on Centos 7 and no matter what we do we 
cannot get AD to complete configuration, it simply returns “Null” so obviously 
fails. When we use realmd it works fine. My question initially is, does this 
affect dot1x authentication via AD if we complete this only using realmd and 
not the configuration panel AD connection method? As always your help is 
greatly appreciated.

 

John






------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot






_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users





-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users