Hi Fabrie, The patch worked fine and users can now authenticate with their userPrincilalName . the only thing to note is that there is one error in the radius Auth log entry as follows:
Module-Failure-Message = "Failed retrieving values required to evaluate condition" SQL-User-Name = 20217...@farn-ct.ac.uk<mailto:20217...@farn-ct.ac.uk> Also the node status in the audit log is N/A as follows: 40:33:1a:47:ab:1e N/A 0 20217...@farn-ct.ac.uk 2018-11-21 11:42:14 172.16.36.30 Wireles Thanks for your help WillH From: Durand fabrice via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: 20 November 2018 04:35 To: packetfence-users@lists.sourceforge.net Cc: Durand fabrice <fdur...@inverse.ca> Subject: Re: [PacketFence-users] Eduroam local login Hello Will, yes but it's not yet available in packetfence 8.2. If you want to test you can use the following PR https://github.com/inverse-inc/packetfence/pull/3429 : cd /usr/local/pf curl https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff | patch -p1 --dry-run If no error: curl https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/3429.diff | patch -p1 cp conf/radiusd/ldap_packetfence.conf.example conf/radiusd/ldap_packetfence.conf cp conf/radiusd/packetfence-tunnel.example conf/radiusd/packetfence-tunnel bin/pfcmd pfconfig clear_backend bin/pfcmd configreload hard bin/pfcmd service pf restart After that, check in the admin gui in the realm configuration and select the ldap source to use to resolve the samaccountname attribute, then edit the ldap authentication source to select the username attribute to resolve the samaccountname (userPrincipalName) So the logic will be the following, you will use the userPrincipalName attribute to authenticate (w.hals...@farn-ct.ac.uk<mailto:w.hals...@farn-ct.ac.uk> ) then freeradius will do a ldap search to find the samaccountname based on the userprincipalname=w.hals...@farn-ct.ac.uk<mailto:userprincipalname=w.hals...@farn-ct.ac.uk> and do a ntlm_auth with the result of the search. The last thing will be to use an ldap source (clone the previous one if needed) and use userPrincipalName as the user attribute to create some rules (role/access duration) Regards Fabrice Le 18-11-19 à 09 h 03, Will Halsall via PacketFence-users a écrit : Hi Fabrice, Thankyou yes that now works if I use the <sAMAccountName>@farn-ct.ac.uk<mailto:samaccountn...@farn-ct.ac.uk> Can I modify this to use the userPrincipalName (mail address) w.hals...@farn-ct.ac.uk<mailto:w.hals...@farn-ct.ac.uk> by either using ldap or using ldap with a filter to retrieve the sAMAccountName Thanks Will H From: Fabrice Durand via PacketFence-users <packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net> Sent: 14 November 2018 20:08 To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Cc: Fabrice Durand <fdur...@inverse.ca><mailto:fdur...@inverse.ca> Subject: Re: [PacketFence-users] Eduroam local login Hello Will, i think it's because the username is not stripped on the ntlm_auth call. Can you strip it in the farn-ct-ac-uk realm config ? It's like that right now: realm farn-ct.ac.uk { nostrip } Regards Fabrice Le 18-11-14 à 11 h 34, Will Halsall via PacketFence-users a écrit : Hi Folks I have configured a Eduroam Exclusive Source and the access point but am able to login a local user. I have included the radius eduroam debug logs. Would it be possible for someone to have a look to see if they can spot what I am doing wrong Thanks Will Halsall [http://fcot5.farn-ct.ac.uk/Email_Signature_Open_Events.jpg]<https://www.farn-ct.ac.uk/about/Events> This message is intended only for the use of the person(s) to whom it is addressed, and may contain privileged and confidential information. If it has come to you in error, please contact the sender as soon as possible, and note that you must take no action based on the content, nor must you copy, distribute, or show the content to any other person. In accordance with its legal obligations, Farnborough College of Technology reserves the right to monitor the content of e-mails sent and received, but will not do so routinely. _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca<mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
