Hi everyone, I have set 802.1x using EAP-TLS with MSPKI per Packetfence Installation Guide. The user authentication works, but I have problem with machine authentication. I do not have much experience with Packetfence nor FreeRadius, but to me it looks like machine does not assign any role, and thus it ends in my registration VLAN. It appears to me it is not matching my AD workstation source. It appears like packetfence is using machine name with stripped domain and host part during authentication. Could someone shed some light on me on this topic? I am posting related packetfence.log here, somewhat sanitized:
Oct 13 12:15:12 gethq-s23 packetfence_httpd.aaa: httpd.aaa(1864) INFO: [mac:f4:30:b9:d0:f8:fe] handling radius autz request: from switch_ip => (172.20.0.6), connection_type => Ethernet-EAP,switch_mac => (f8:4f:57:17:92:01), mac => [f4:30:b9:d0:f8:fe], port => 10101, username => "MY-TESTWS02" (pf::radius::authorize) Oct 13 12:15:12 gethq-s23 packetfence_httpd.aaa: httpd.aaa(1864) INFO: [mac:f4:30:b9:d0:f8:fe] Instantiate profile 802.1x (pf::Connection::ProfileFactory::_from_profile) Oct 13 12:15:12 gethq-s23 packetfence_httpd.aaa: httpd.aaa(1864) INFO: [mac:f4:30:b9:d0:f8:fe] Found authentication source(s) : 'ad-ws,ad-employees' for realm 'null' (pf::config::util::filter_authentication_sources) Oct 13 12:15:12 gethq-s23 packetfence_httpd.aaa: httpd.aaa(1864) WARN: [mac:f4:30:b9:d0:f8:fe] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match2) Oct 13 12:15:12 gethq-s23 packetfence_httpd.aaa: httpd.aaa(1864) INFO: [mac:f4:30:b9:d0:f8:fe] Using sources ad-ws, ad-employees for matching (pf::authentication::match2) Oct 13 12:15:12 gethq-s23 packetfence_httpd.aaa: httpd.aaa(1864) ERROR: [mac:f4:30:b9:d0:f8:fe] Error binding 'Connection reset by peer' (pf::LDAP::bind) Oct 13 12:15:12 gethq-s23 packetfence_httpd.aaa: httpd.aaa(1864) WARN: [mac:f4:30:b9:d0:f8:fe] LDAP connection expired (pf::LDAP::expire_if) Oct 13 12:15:12 gethq-s23 packetfence_httpd.aaa: httpd.aaa(1864) WARN: [mac:f4:30:b9:d0:f8:fe] No role specified or found for pid MY-TESTWS02 (MAC f4:30:b9:d0:f8:fe); assume maximum number of registered nodes is reached (pf::node::is_max_reg_nodes_reached) Oct 13 12:15:12 gethq-s23 packetfence_httpd.aaa: httpd.aaa(1864) ERROR: [mac:f4:30:b9:d0:f8:fe] max nodes per pid met or exceeded - registration of f4:30:b9:d0:f8:fe to MY-TESTWS02 failed (pf::registration::setup_node_for_registration) Oct 13 12:15:12 gethq-s23 packetfence_httpd.aaa: httpd.aaa(1864) ERROR: [mac:f4:30:b9:d0:f8:fe] auto-registration of node failed max nodes per pid met or exceeded (pf::radius::authorize) Reading packetfence mail archive I have seen that is is regular that machine authentication hits null realm. I have tried turning on the "RADIUS machine auth with username" advanced parameter, but I do not see any change. I appreciate little help here if possible, just to put me in the right direction. If you need any more logging feel free to request _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
