Hello John,
Le 2018-08-03 à 11:18, John Sayce via PacketFence-users a écrit :
Hi,
I’ve setup 802.1x for my wireless. I initially started using NPS but it didn't
have the flexibility I wanted for dynamic VLAN assignment. So I've setup
packetfence and my clients can authenticate but they're not getting assigned
the roles I'd like, to then go in the appropriate VLAN.
Specifically I want to assign roles based on organisational unit. Am I
correct, that the (best) way to do this is to create an active directory source
for each role with a rule that then checks the distinguished name to get the
organisational unit with the action to assign the appropriate role? As I say,
at the moment this doesn't appear to work, but I haven't tried to debug it yet,
so I might have made a silly mistake somewhere.
As i remember a dn cannot be use for a ldapsearch
(https://www.openldap.org/lists/openldap-software/200503/msg00520.html)
but maybe i am wrong.
The better way to test it will be to configure a rule like
distingishName regex ou=blablabla and use pftest to see if the rule match.
Btw i prefer to use groupMembership for that.
Initially I setup the client to skip verification of the server's certificate to see the
radius requests coming in. Later I re-enabled the verification and added the
certificates to the trusted root store but received an error about a valid trust anchor
for this profile. I believe I can override this by specifying the specific certificate
in group policy but I didn't really understand the error message. Ultimately I have a
Microsoft PKI setup so I'd like to assign a certificate from this. The manual says I
then edit the "/usr/local/pf/conf/radiusd/eap.conf" and point the relevant
settings at the certificates files approved by my Microsoft PKI. Is that sufficient?
And will I still get the error about a valid trust anchor? I don't believe I encountered
that issue with NPS.
NPS know the microsoft pki, so by default i think there is already a
certificate for it.
So you will need to generate a certificate on the pki for the radius
server
(https://github.com/inverse-inc/packetfence/blob/devel/docs/pki/microsoft.asciidoc#radius-certificate-generation).
With that you will probably don't have anymore the vlaid trust anchor
with the device joined to the domain but you will still have it for the
rest (you need to install the CA public key on each devices).
Regards
Fabrice
Thanks
John
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
