Ludovic, See below:
[root@pf428 conf]# cat realm.conf # Copyright (C) Inverse inc. [1 DEFAULT] permit_custom_attributes=disabled radius_auth_proxy_type=keyed-balance radius_auth_compute_in_pf=enabled eduroam_radius_auth= domain=PCS eduroam_radius_auth_proxy_type=keyed-balance eduroam_radius_acct= radius_acct_proxy_type=load-balance radius_auth= eduroam_radius_auth_compute_in_pf=enabled eduroam_radius_acct_proxy_type=load-balance radius_acct= [1 NULL] permit_custom_attributes=disabled radius_auth_proxy_type=keyed-balance radius_auth_compute_in_pf=enabled eduroam_radius_auth= domain=PCS eduroam_radius_auth_proxy_type=keyed-balance eduroam_radius_acct= radius_acct_proxy_type=load-balance radius_auth= eduroam_radius_auth_compute_in_pf=enabled eduroam_radius_acct_proxy_type=load-balance radius_acct= [root@pf428 conf]# Thanks, Bill From: Ludovic Zammit <[email protected]> Sent: Thursday, April 30, 2020 9:22 AM To: Bill Handler <[email protected]> Cc: [email protected] Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication Could you post the conf/realm.conf ? cat /usr/local/pf/conf/realm.conf Thanks, Ludovic Zammit [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) On Apr 30, 2020, at 9:19 AM, Bill Handler <[email protected]<mailto:[email protected]>> wrote: Ludvic, For that authentication it shows Realm default – my Domain is listed in both the default and null realms. Thanks, Bill From: Ludovic Zammit <[email protected]<mailto:[email protected]>> Sent: Thursday, April 30, 2020 9:16 AM To: Bill Handler <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication Bill, What’s the realm assign with your connection if you look it up in the Auditing tab in the web admin ? Is that realm stripping in radius authorization ? Thanks, Ludovic Zammit [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 30, 2020, at 9:12 AM, Bill Handler <[email protected]<mailto:[email protected]>> wrote: Ludvic, Thanks for the quick reply… Looking in the log, I think I found the issue in this log entry: Apr 30 08:58:19 PFserver packetfence_httpd.aaa: httpd.aaa(2385) INFO: [mac:XX:XX:XX:XX:XX:XX] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) Here is a screenshot of my 802.1x profile settings, which I think are correct – but I’m probably wrong lol : <image002.jpg> Thanks, Bill From: Ludovic Zammit <[email protected]<mailto:[email protected]>> Sent: Thursday, April 30, 2020 7:52 AM To: Bill Handler <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication Hello Bill, It looks like when it’s doing the user authentication the EAP authentication happens correctly but the Authorization does not work by not matching your rule in your AD source. Could you paste a user authentication from the logs/packetfence.log? Remove personal infos. My guess is that your real is not strip thus it’s not passing the correct username to ad source and not matching. Thanks, Ludovic Zammit [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca<http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 29, 2020, at 4:48 PM, Bill Handler via PacketFence-users <[email protected]<mailto:[email protected]>> wrote: Checking on if this is possible with PacketFence (using v10)… For 802.1x authentication, we have set up for Users and Computers to authenticate. Currently, when a machine accesses the network it is automatically authenticated and gets the Machine role (we’re working with Windows 10 and GPO). When a user logs onto that machine, the user is authenticated, that user becomes the ‘Owner’ of that device – listed in the nodes section and RADIUS Audit Log Entry, however, the end-system/node keeps the machine role, and does not get the user’s role. Within the connection profile for 802.1x, we have the sources set so that the source for user auth (AD) is set above the machine auth, so it should get the role from the user auth source. I’ve verified using pftest and that user is authenticating against that role. We’ve used another NAC solution and when a user logs into the machine under the same circumstances, the role flips to the user role. What I think happens/is supposed to happen is when a user logs into the machine, the machine logs out/deauthenticates so the user role is applied to the user. That is not happening with PacketFence. Any ideas on how to make this happen? Thanks, Bill _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
