it's EAP-TLS, not EAP-PEAP ________________________________ From: Ludovic Zammit <lzam...@inverse.ca> Sent: Thursday, March 26, 2020 20:06 To: Juraj Tobias <j...@leaf.sk> Cc: packetfence-users@lists.sourceforge.net <packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] multiple active directories as authentication sources?
For EAP PEAP you would need to put all your CA certs info the same file and it would work. Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) On Mar 26, 2020, at 3:05 PM, Juraj Tobias <j...@leaf.sk<mailto:j...@leaf.sk>> wrote: captive portal authenticates user against AD and generates certificate for 802.1x provisioner for EAP-TLS. thx for mentioning the multiple AD domain join. so far a single domain join has worked without a realm configured, but I guess with multiple ADs joined, this would be required. ________________________________ From: Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Sent: Thursday, March 26, 2020 20:01 To: Juraj Tobias <j...@leaf.sk<mailto:j...@leaf.sk>> Cc: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> Subject: Re: [PacketFence-users] multiple active directories as authentication sources? When you are talking AD authentication are you talking has an LDAP authentication on the captive portal or within a 802.1x connection checking for username password credentials ? You can join multiple AD domain with PacketFence, you would need to assign the different realms to the different AD. Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Mar 26, 2020, at 2:55 PM, Juraj Tobias <j...@leaf.sk<mailto:j...@leaf.sk>> wrote: so you're saying there's no problem with packetfence server being joined to just one of the ADs it authenticates against? if true, this would imply domain join is not needed at all even with only a single AD in the configuration. why would then the domain joining step be a part of the installation doc, if it's not mandatory for the whole thing to work properly? as for the same username in multiple ADs - that can't happen in our setup. jt ________________________________ From: Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Sent: Thursday, March 26, 2020 19:45 To: Juraj Tobias <j...@leaf.sk<mailto:j...@leaf.sk>> Cc: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> Subject: Re: [PacketFence-users] multiple active directories as authentication sources? Hello, You can create a connection profile per organization and match the correct AD for each authentication. If you put two sources on the same connection profile and you have the same username in both ADs it would only match on the first one and never the other one. Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Mar 26, 2020, at 9:44 AM, Juraj Tobias via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: we have multiple organizations sharing the same premises, but each have their own active directory (i.e. no trusts, no single forest). is it possible to configure a single packetfence server to try user auth against all of them? so far, as I understand how FreeRADIUS works, a domain join is required in order to authenticate against an AD, and, since a single packetfence server can only be joined to one domain, this is not possible, but perhaps packetfence has a way around it. thx in advance _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users