Hello Steve,
packetfence-local-auth {
packetfence-set-tenant-id
# Disable ntlm_auth (Active DIrectory)
update control {
&MS-CHAP-Use-NTLM-Auth := No
}
# Check password table for local user
pflocal
if (fail || notfound || noop) {
# Check password table with email and password for a sponsor
registration
pfguest
if (fail || notfound || noop) {
# Check password table with email and password for a guest
registration
pfsponsor
if (fail || notfound || noop) {
# Check activation table with phone number and PIN code
pfsms
if (fail || notfound || noop) {
# All failed then enable ntlm_auth to check the AD
update control {
&MS-CHAP-Use-NTLM-Auth := Yes
}
}
}
}
}
So AD auth is disabled at the beginning , we test all the local sources
and if all failed then AD auth is enable and PacketFence will try to
authenticate on the AD.
So you can have both at the same time and let say the first match win.
Regards
Fabrice
Le 2018-06-20 à 08:46, Steve Pfister via PacketFence-users a écrit :
It sounds like the answer is no, you can't have both at the same time.
Am I understanding correctly?
Thanks!
On 6/19/2018 9:17 PM, Durand fabrice via PacketFence-users wrote:
Hello Steve,
in the freeradius unlang logic
(https://github.com/inverse-inc/packetfence/blob/devel/raddb/policy.d/packetfence#L8)
if you enabled packetfence-local-auth then ntlm_auth will be disabled
and if no local authentications worked then it enable back ntlm_auth.
If you have a raddebug trace it will be easy to see what is the problem.
raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
Regards
Fabrice
Le 2018-06-19 à 14:16, Steve Pfister via PacketFence-users a écrit :
Are there any problems with allowing 802.1x authentication against
our Active Directory, and against locally defined users too? I've
gotten them both working separately. Now I'm trying to get both
working at the same time and neither are working.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
