Hi Durand, I don't have a "/usr/local/pf/raddb/modules" folder.
Is this something I need to create, or could it be in another folder instead? I do have "/usr/local/pf/radbb/mods-available" and "mods-enabled", but I don't know if these are the correct folders. Thank you so much for your help! On Mon, Oct 14, 2019 at 3:23 PM Durand fabrice <[email protected]> wrote: > > Hello Jordan, > > The logic needs to be added in Freeradius, since freeradius does the > 802.1x. > > In fact you need to do something like that: > > https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Installation_Guide.asciidoc#eap-authentication-against-openldap > > But in this section: > > authorize { > suffix > ntdomain > eap { > ok = return > } > files > openldap > > if (found) { > > update control { > &MS-CHAP-Use-NTLM-Auth := No > } > > } > > > So it mean that if the user is found in openldap (in you case gsuite) > then disable ntlm_auth. > > Let me know if you need more details. > > Regards > > Fabrice > > > Le 19-10-14 à 16 h 09, Jordan Dare a écrit : > > Hi Durand, > > > > I have it setup like the second option you mentioned(EAP-TTLS/PAP), > > however the issue is that it tries NTLM auth no matter what order I > > have everything in, which fails for student accounts, and it stops > > when NTLM auth fails instead of moving on to the next source. > > > > On Sun, Oct 13, 2019 at 4:57 AM Durand fabrice <[email protected]> wrote: > >> Hello Jordan, > >> > >> yes you can do that on the captive portal. > >> > >> You just need to create a connection profile with a rule that match per > >> example the ssid and assign it the authentication source you want to use > >> (in first position the student one and the in 2nd position the staff one). > >> > >> The other option should be to do EAP-TTLS/PAP for the student and > >> configure Freeradius to talk to G suite via ldap. (I don't have a G > >> suite account so i can't test but it should work). > >> > >> Regards > >> > >> Fabrice > >> > >> > >> Le 19-10-11 à 22 h 11, Jordan Dare a écrit : > >>> Hi Durand, > >>> > >>> Thanks for your reply. > >>> > >>> Is it possible to have it check the student source first, then if it > >>> fails go to AD? or something like that? G Suite doesn't normally do > >>> 802.1x, but they have an LDAP server you can authenticate against > >>> which is what I'm trying to do. > >>> > >>> Thanks! > >>> > >>> On Fri, Oct 11, 2019 at 5:45 PM Durand fabrice via PacketFence-users > >>> <[email protected]> wrote: > >>>> Hello Jordan, > >>>> > >>>> the error message is related to ntlm, so it mean that it try to > >>>> authenticate the student account on the AD. > >>>> > >>>> When it fail in freeradius then the radius request doesn't reach the > >>>> packetfence code to test the authentication sources with the rules. > >>>> > >>>> So you need to find a way to authenticate your student with 802.1x and > >>>> is it possible to do 802.1x with G suite ? > >>>> > >>>> Regards > >>>> > >>>> Fabrice > >>>> > >>>> > >>>> Le 19-10-03 à 16 h 23, Jordan Dare via PacketFence-users a écrit : > >>>>> Hi all, > >>>>> > >>>>> I'm having issues getting a wireless profile to use the secondary LDAP > >>>>> source instead of the Active Directory source when authentication > >>>>> fails. > >>>>> > >>>>> What I have is our internal AD server that has all staff accounts, > >>>>> etc. And an stunnel proxy to G-Suite LDAP which contains our student > >>>>> accounts. > >>>>> > >>>>> What I want to happen is if authentication fails for the first Active > >>>>> Directory source, it then tries the stunnel G Suite LDAP, however it > >>>>> seems to hit the AD source, get a "authentication failed", and then > >>>>> stop there. > >>>>> > >>>>> Here's what the "RADIUS" tab on the failed authentication shows: > >>>>> Module-Failure-Message = "chrooted_mschap: Program returned code (1) > >>>>> and output 'The attempted logon is invalid. This is either due to a > >>>>> bad username or authentication information. (0xc000006d)'" > >>>>> Module-Failure-Message = "chrooted_mschap: External script says: The > >>>>> attempted logon is invalid. This is either due to a bad username or > >>>>> authentication information. (0xc000006d)" > >>>>> Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is > >>>>> incorrect" > >>>>> User-Password = "******" > >>>>> Module-Failure-Message = "Failed retrieving values required to > >>>>> evaluate condition" > >>>>> > >>>>> Thanks. > >>>>> -- > >>>>> > >>>>> Jordan Dare > >>>>> > >>>>> Information Technology Specialist > >>>>> > >>>>> Morgan Hill Unified School District > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> PacketFence-users mailing list > >>>>> [email protected] > >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users > >>>> _______________________________________________ > >>>> PacketFence-users mailing list > >>>> [email protected] > >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users > >>> > > > > -- Jordan Dare Information Technology Specialist Morgan Hill Unified School District 15600 Concord Circle, Morgan Hill, CA 95037 Office: (408)-201-6000 ext 51028 Cell: (408)-891-2420 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
