Hi Durand, I have it setup like the second option you mentioned(EAP-TTLS/PAP), however the issue is that it tries NTLM auth no matter what order I have everything in, which fails for student accounts, and it stops when NTLM auth fails instead of moving on to the next source.
On Sun, Oct 13, 2019 at 4:57 AM Durand fabrice <[email protected]> wrote: > > Hello Jordan, > > yes you can do that on the captive portal. > > You just need to create a connection profile with a rule that match per > example the ssid and assign it the authentication source you want to use > (in first position the student one and the in 2nd position the staff one). > > The other option should be to do EAP-TTLS/PAP for the student and > configure Freeradius to talk to G suite via ldap. (I don't have a G > suite account so i can't test but it should work). > > Regards > > Fabrice > > > Le 19-10-11 à 22 h 11, Jordan Dare a écrit : > > Hi Durand, > > > > Thanks for your reply. > > > > Is it possible to have it check the student source first, then if it > > fails go to AD? or something like that? G Suite doesn't normally do > > 802.1x, but they have an LDAP server you can authenticate against > > which is what I'm trying to do. > > > > Thanks! > > > > On Fri, Oct 11, 2019 at 5:45 PM Durand fabrice via PacketFence-users > > <[email protected]> wrote: > >> Hello Jordan, > >> > >> the error message is related to ntlm, so it mean that it try to > >> authenticate the student account on the AD. > >> > >> When it fail in freeradius then the radius request doesn't reach the > >> packetfence code to test the authentication sources with the rules. > >> > >> So you need to find a way to authenticate your student with 802.1x and > >> is it possible to do 802.1x with G suite ? > >> > >> Regards > >> > >> Fabrice > >> > >> > >> Le 19-10-03 à 16 h 23, Jordan Dare via PacketFence-users a écrit : > >>> Hi all, > >>> > >>> I'm having issues getting a wireless profile to use the secondary LDAP > >>> source instead of the Active Directory source when authentication > >>> fails. > >>> > >>> What I have is our internal AD server that has all staff accounts, > >>> etc. And an stunnel proxy to G-Suite LDAP which contains our student > >>> accounts. > >>> > >>> What I want to happen is if authentication fails for the first Active > >>> Directory source, it then tries the stunnel G Suite LDAP, however it > >>> seems to hit the AD source, get a "authentication failed", and then > >>> stop there. > >>> > >>> Here's what the "RADIUS" tab on the failed authentication shows: > >>> Module-Failure-Message = "chrooted_mschap: Program returned code (1) > >>> and output 'The attempted logon is invalid. This is either due to a > >>> bad username or authentication information. (0xc000006d)'" > >>> Module-Failure-Message = "chrooted_mschap: External script says: The > >>> attempted logon is invalid. This is either due to a bad username or > >>> authentication information. (0xc000006d)" > >>> Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect" > >>> User-Password = "******" > >>> Module-Failure-Message = "Failed retrieving values required to > >>> evaluate condition" > >>> > >>> Thanks. > >>> -- > >>> > >>> Jordan Dare > >>> > >>> Information Technology Specialist > >>> > >>> Morgan Hill Unified School District > >>> > >>> > >>> _______________________________________________ > >>> PacketFence-users mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users > >> > >> _______________________________________________ > >> PacketFence-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > -- Jordan Dare Information Technology Specialist Morgan Hill Unified School District 15600 Concord Circle, Morgan Hill, CA 95037 Office: (408)-201-6000 ext 51028 Cell: (408)-891-2420 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
