This is it not working for machine....
- Node Information <https://a3.skynet-home.co.uk:1443/admin/auditing#nodeInformation> - Device Information <https://a3.skynet-home.co.uk:1443/admin/auditing#switchInformation> - RADIUS <https://a3.skynet-home.co.uk:1443/admin/auditing#radiusInformation> MAC Address 8c:85:90:24:56:2a Auth Status Accept Auth Type eap Auto Registration yes Calling Station ID 8c:85:90:24:56:2a Computer name PC1 EAP Type TLS Event Type Radius-Access-Request IP Address Is a Phone no Node status reg Domain Profile Secure Realm null Reason Role N/A Source N/A Stripped User Name host/PC1.skynet-home.co.uk <http://pc1.skynet-home.co.uk/> User Name host/PC1.skynet-home.co.uk <http://pc1.skynet-home.co.uk/> Unique ID Create at 2018-11-30 15:59:47 request_time 1 RADIUS Request User-Name = "host/PC1.skynet-home.co.uk <http://pc1.skynet-home.co.uk/>" NAS-IP-Address = 172.16.0.63 NAS-Port = 0 Service-Type = Framed-User Framed-MTU = 1500 State = 0x69a47a026f7477b337b5a73185ad654b Called-Station-Id = "34:85:84:01:ad:e4:Secure" Calling-Station-Id = "8c:85:90:24:56:2a" NAS-Identifier = "AP-Living Room" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "97AE1E134BCDFF20" Acct-Multi-Session-Id = "14EE5B922493DD46" Event-Timestamp = "Nov 30 2018 15:59:46 UTC" Connect-Info = "11ac" EAP-Message = 0x02d000060d00 Message-Authenticator = 0x5938ec0d8636f372977291ab5284b7c3 WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 EAP-Type = TLS Stripped-User-Name = "host/PC1.skynet-home.co.uk <http://pc1.skynet-home.co.uk/>" Realm = "null" FreeRADIUS-Client-IP-Address = 172.16.0.63 Called-Station-SSID = "Secure" Tmp-String-1 = "8c859024562a" TLS-Cert-Serial = "40ba1f957d9defac4bb5cb77b86c839d" TLS-Cert-Expiration = "231116144940Z" TLS-Cert-Issuer = "/DC=uk/DC=co/DC=skynet-home/CN=skynet-home-CA" TLS-Cert-Subject = "/DC=uk/DC=co/DC=skynet-home/CN=skynet-home-CA" TLS-Cert-Common-Name = "skynet-home-CA" TLS-Client-Cert-Serial = "6000000039b80f00dd8d7f8258000000000039" TLS-Client-Cert-Expiration = "191130094831Z" TLS-Client-Cert-Issuer = "/DC=uk/DC=co/DC=skynet-home/CN=skynet-home-CA" TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Client Authentication" TLS-Client-Cert-X509v3-Subject-Key-Identifier = "52:BD:9A:9B:D8:AD:71:57:DF:85:7D:45:CF:55:7D:21:1E:25:95:1B" TLS-Client-Cert-X509v3-Authority-Key-Identifier = "keyid:0B:28:C9:C3:08:39:78:F4:9B:F0:9A:0D:8E:E7:34:F0:65:B5:17:F7\n" TLS-Client-Cert-Subject-Alt-Name-Dns = "PC1.skynet-home.co.uk <http://pc1.skynet-home.co.uk/>" TLS-Client-Cert-Subject-Alt-Name-Upn = "PC1$@skynet-home.co.uk" TLS-Client-Cert-X509v3-Extended-Key-Usage-OID = "1.3.6.1.5.5.7.3.2" Attr-26.26928.1 = 0x00000000 Attr-26.26928.6 = 0x00000004 User-Password = "******" SQL-User-Name = "host/ PC1.skynet-home.co.uk <http://pc1.skynet-home.co.uk/>" RADIUS Reply MS-MPPE-Recv-Key = 0x326817d7721fa00d316c92b6b5c3c7abce47e842d097cc69a097666c3069b501 MS-MPPE-Send-Key = 0x2ee8af1bcefb38b9d258e5d201bccfea1ad4deffd4d2eab456ea76113d2e265e EAP-MSK = 0x326817d7721fa00d316c92b6b5c3c7abce47e842d097cc69a097666c3069b5012ee8af1bcefb38b9d258e5d201bccfea1ad4deffd4d2eab456ea76113d2e265e EAP-EMSK = 0x85fe135bbe618ec9a8982c8406095d81a3292de5f4fb74f7169a8bfa918939d3f06bf1db1c558ed02caf9fa3fa07b2d6af9c7188a2f7ef48252fb5ae82fcc747 EAP-Session-Id = 0x0d5c015d7e486efb06c2f3495018f9a0a2c18af148b5d31107a581ffa97d67d577a40013b29fc7c73e4afefe95cea7432dc0db0a4d445d498b160684c08f098211 EAP-Message = 0x03d00004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/PC1.skynet-home.co.uk <http://pc1.skynet-home.co.uk/>" This shows it working for user auth - Node Information <https://a3.skynet-home.co.uk:1443/admin/auditing#nodeInformation> - Device Information <https://a3.skynet-home.co.uk:1443/admin/auditing#switchInformation> - RADIUS <https://a3.skynet-home.co.uk:1443/admin/auditing#radiusInformation> MAC Address 8c:85:90:24:56:2a Auth Status Accept Auth Type eap Auto Registration yes Calling Station ID 8c:85:90:24:56:2a Computer name PC1 EAP Type TLS Event Type Radius-Access-Request IP Address Is a Phone no Node status reg Domain Profile Secure Realm skynet-home.co.uk Reason Role Corp Source AD-Source Stripped User Name Administrator User Name administra...@skynet-home.co.uk Unique ID Create at 2018-11-30 15:41:21 request_time 0 RADIUS Request RADIUS Reply MS-MPPE-Recv-Key = 0xd2fb2f02da1a4880014f9aa15da91dbaf827b968eea350a9467cbaa384864e8b MS-MPPE-Send-Key = 0x3b9989e0b39d9a618ff68836eddde883b9374c7dc8734702ec2b6298f4acaded EAP-MSK = 0xd2fb2f02da1a4880014f9aa15da91dbaf827b968eea350a9467cbaa384864e8b3b9989e0b39d9a618ff68836eddde883b9374c7dc8734702ec2b6298f4acaded EAP-EMSK = 0x152283637273fde4ce343bbd289615bfe1d235d7b016e632c596ba3afbc76b268d901ad0d03d74f4cc41d1bd0a7f9ff143fe907267bba73669d12bd3f8165770 EAP-Session-Id = 0x0d5c01592c4fc98e50464be9a2b6a20fc3644556096b63ea0d4d5ab60e63e7be99459699f3ba887243bfe5d4825a4b9c0f91a207b41fc7d926642e16af86e1a760 EAP-Message = 0x03560004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = " administra...@skynet-home.co.uk" Filter-Id = "Corp" Its seems that the role is not assigned for machine/computer auth??? The AD-source has the correct SPN applied as per the docs. Anyone got any tips? Thanks Wi-Fi Guy On Thu, 29 Nov 2018 at 11:03, Wifi Guy <wifisp...@gmail.com> wrote: > Good Morning all, > > I have managed to get very far to date with my installation. > > Howver I am struggling with the last piece of the puzzle, how to handle > BYOD device that authenticate via EAP-TLS (onboarding process) and > distinguishing that with corp users. > > So I thought the best way to handle this is that for Corp users that > authenticate with EAP-TLS will use Machine Auth and be assigned into a > machine role and other users will be assigned into a BYOD policy. Is this > the best approach? > > So to the setup I managed to get a reg vlan setup. This allows users who > are not part of the domain to authenticate via a CWP. There are > provisioners setup to assign the device the TLS cert. This works great! :) > > For my corp machines, currently the GPO etc are setup. User and computer > certs are sent on domain join, so no issues with auto enrollment. Also the > machine has the SSID specified with TLS set and the option computer > authentication selected. In an ideal world I would be able to chain the > authentication (something like TEAP) where computer auth happens at login > and then user auth happens at login. But I cant see a way to do this > without breaking the BYOD issue? > > My question is what should the GUI setup look like? Currently I have two > internal AD sources, one for computer auth (servicePrincipalName) and one > for user auth. For the documentation its not clear how the connection > profiles should look? What order things should be in and if I am looking at > this the wrong way. > > Any advice, help etc would be much helpful. > > WiFiGuy >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
