Hey Fabrice,
Removed the Host realm, added the domain.local realm. I set this realm to not
strip on radius. Is that correct?
Still getting can't connect to this network on the test device.
Here are the two logs:Radius.log (on the second attempt to join the ssid shown
below I unchecked verify the server's identity by validating the certificate on
the Windows machine)
Jul 6 00:33:32 srv-pf-02 auth[29301]: Adding client 172.20.110.141/32
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS Alert
read:fatal:unknown CA
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS_accept:
Failed in error
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: Failed in
__FUNCTION__ (SSL_read)
Jul 6 00:33:33 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] Rejected user:
host/IT-VM-TEST.domain.local
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) Login incorrect (eap_peap: TLS
Alert read:fatal:unknown CA): [host/IT-VM-TEST. domain.local] (from client
172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56)Jul 6 00:34:40 srv-pf-02
auth[29301]: (52087) Rejected in post-auth: [host/IT-VM-TEST. domain.local]
(from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56 via TLS tunnel)Jul
6 00:34:40 srv-pf-02 auth[29301]: (52087) Login incorrect: [host/IT-VM-TEST.
domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56 via
TLS tunnel)Jul 6 00:34:40 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56]
Rejected user: host/IT-VM-TEST. domain.localJul 6 00:34:40 srv-pf-02
auth[29301]: (52088) Login incorrect (eap_peap: The users session was
previously rejected: returning reject (again.)): [host/IT-VM-TEST.
domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56)
packetfence.log
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] Unable to extract audit-session-id for module
pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. Make sure
you enable Vendor Specific Attributes (VSA) on the AP if you want them to work.
(pf::Switch::getCiscoAvPairAttribute)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip =>
(172.20.110.141), connection_type => Wireless-802.11-EAP,switch_mac =>
(92:18:98:40:47:69), mac => [00:e0:4c:19:dd:56], port => 1, username =>
"host/IT-VM-TEST. domain.local", ssid => WIFI-EPS (pf::radius::authorize)Jul 6
00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] is doing machine auth with account 'host/IT-VM-TEST.
domain.local'. (pf::radius::authorize)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Instantiate profile EPS-Wifi
(pf::Connection::ProfileFactory::_from_profile)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Found authentication source(s) : 'AD_Domain-Computers'
for realm ' domain.local' (pf::config::util::filter_authentication_sources)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Using sources AD_Domain-Computers for matching
(pf::authentication::match2)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] [AD_Domain-Computers Domain_Computers] Searching for
(servicePrincipalName=host/IT-VM-TEST. domain.local), from DC= domain,DC=local,
with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] LDAP testing connection (pf::LDAP::expire_if)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Error binding: 'Connection reset by peer'
(pf::LDAP::log_error_msg)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] LDAP connection expired (pf::LDAP::expire_if)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] No rules matches or no category defined for the node,
set it as unreg. (pf::role::getNodeInfoForAutoReg)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] No role specified or found for pid host/IT-VM-TEST.
domain.local (MAC 00:e0:4c:19:dd:56); assume maximum number of registered nodes
is reached (pf::node::is_max_reg_nodes_reached)Jul 6 00:34:40 srv-pf-02
packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] no role
computed by any sources - registration of 00:e0:4c:19:dd:56 to host/IT-VM-TEST.
domain.local failed (pf::registration::setup_node_for_registration)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] auto-registration of node failed no role computed by
any sources (pf::radius::authorize)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Database query failed with non retryable error: Cannot
add or update a child row: a foreign key constraint fails (`pf`.`node`,
CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES `person`
(`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT
INTO `node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
`category_id`, `computername`, `detect_date`, `device_class`,
`device_manufacturer`, `device_score`, `device_type`, `device_version`,
`dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`,
`last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`,
`unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE
KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `machine_account` = ?, `pid` =
?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0000-00-00 00:00:00,
0000-00-00 00:00:00, 0000-00-00 00:00:00, 00:e0:4c:19:dd:56, host/IT-VM-TEST.
domain.local, NULL, host/IT-VM-TEST. domain.local, 0000-00-00 00:00:00, NULL,
unreg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes, host/IT-VM-TEST.
domain.local, host/IT-VM-TEST. domain.local, 1} (pf::dal::db_execute)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500)
(pf::radius::authorize)
Thanks.Mike
On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via
PacketFence-users <packetfence-users@lists.sourceforge.net> wrote:
Hello Michael,
Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
Hi Guys,
I am trying to get machine authentication working so that if a machine is a
member of the Active Directory Domain Computers group it will join wifi without
prompting the user for anything.
The access points are all Meraki.
On packetfence I have the following: Connection Profile Automatically
register devices is turned on Connection Type = Wireless-802.11 EAP
Authentication Profile Relam: Host
Realm can't be Host, it's suppose to be the fqdn of the domain, like
host/x1234.acme.com the realm is acme.com
So create the realm acme.com, associate the domain to it and in the
authentication source (AD) edit the authentication rule and remove Realm = host
Next connect to the ssid and paste the packetfence.log and the radius.log file
if it still doesn't work.
Regards
Fabrice
Group Membership > is a member of > CN=Domain
Computers,CN=Users,DC=xxxxx,DC=local Role > Default Access Duration > 1hr
Username Attribute = servicePrincipalName
On a domain device that is a member of Domain Computers, when I choose to
join the wireless network it is prompting me for a username and password.
Any ideas on how I can get the Domain Computer devices to auto join?
Thanks a lot. Mike
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
