Hey Fabrice, Removed the Host realm, added the domain.local realm. I set this realm to not strip on radius. Is that correct? Still getting can't connect to this network on the test device. Here are the two logs:Radius.log (on the second attempt to join the ssid shown below I unchecked verify the server's identity by validating the certificate on the Windows machine) Jul 6 00:33:32 srv-pf-02 auth[29301]: Adding client 172.20.110.141/32
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS Alert read:fatal:unknown CA Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS_accept: Failed in error Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) Jul 6 00:33:33 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] Rejected user: host/IT-VM-TEST.domain.local Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56)Jul 6 00:34:40 srv-pf-02 auth[29301]: (52087) Rejected in post-auth: [host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56 via TLS tunnel)Jul 6 00:34:40 srv-pf-02 auth[29301]: (52087) Login incorrect: [host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56 via TLS tunnel)Jul 6 00:34:40 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] Rejected user: host/IT-VM-TEST. domain.localJul 6 00:34:40 srv-pf-02 auth[29301]: (52088) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56) packetfence.log Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: [mac:00:e0:4c:19:dd:56] Unable to extract audit-session-id for module pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific Attributes (VSA) on the AP if you want them to work. (pf::Switch::getCiscoAvPairAttribute) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip => (172.20.110.141), connection_type => Wireless-802.11-EAP,switch_mac => (92:18:98:40:47:69), mac => [00:e0:4c:19:dd:56], port => 1, username => "host/IT-VM-TEST. domain.local", ssid => WIFI-EPS (pf::radius::authorize)Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] is doing machine auth with account 'host/IT-VM-TEST. domain.local'. (pf::radius::authorize) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] Instantiate profile EPS-Wifi (pf::Connection::ProfileFactory::_from_profile) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] Found authentication source(s) : 'AD_Domain-Computers' for realm ' domain.local' (pf::config::util::filter_authentication_sources) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] Using sources AD_Domain-Computers for matching (pf::authentication::match2) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: [mac:00:e0:4c:19:dd:56] [AD_Domain-Computers Domain_Computers] Searching for (servicePrincipalName=host/IT-VM-TEST. domain.local), from DC= domain,DC=local, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] LDAP testing connection (pf::LDAP::expire_if) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] Error binding: 'Connection reset by peer' (pf::LDAP::log_error_msg) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: [mac:00:e0:4c:19:dd:56] LDAP connection expired (pf::LDAP::expire_if) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] No rules matches or no category defined for the node, set it as unreg. (pf::role::getNodeInfoForAutoReg) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: [mac:00:e0:4c:19:dd:56] No category computed for autoreg (pf::role::getNodeInfoForAutoReg) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: [mac:00:e0:4c:19:dd:56] No role specified or found for pid host/IT-VM-TEST. domain.local (MAC 00:e0:4c:19:dd:56); assume maximum number of registered nodes is reached (pf::node::is_max_reg_nodes_reached)Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] no role computed by any sources - registration of 00:e0:4c:19:dd:56 to host/IT-VM-TEST. domain.local failed (pf::registration::setup_node_for_registration) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] auto-registration of node failed no role computed by any sources (pf::radius::authorize) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] Database query failed with non retryable error: Cannot add or update a child row: a foreign key constraint fails (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES `person` (`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO `node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`, `computername`, `detect_date`, `device_class`, `device_manufacturer`, `device_score`, `device_type`, `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `machine_account` = ?, `pid` = ?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0000-00-00 00:00:00, 0000-00-00 00:00:00, 0000-00-00 00:00:00, 00:e0:4c:19:dd:56, host/IT-VM-TEST. domain.local, NULL, host/IT-VM-TEST. domain.local, 0000-00-00 00:00:00, NULL, unreg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes, host/IT-VM-TEST. domain.local, host/IT-VM-TEST. domain.local, 1} (pf::dal::db_execute) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500) (pf::radius::authorize) Thanks.Mike On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via PacketFence-users <packetfence-users@lists.sourceforge.net> wrote: Hello Michael, Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit : Hi Guys, I am trying to get machine authentication working so that if a machine is a member of the Active Directory Domain Computers group it will join wifi without prompting the user for anything. The access points are all Meraki. On packetfence I have the following: Connection Profile Automatically register devices is turned on Connection Type = Wireless-802.11 EAP Authentication Profile Relam: Host Realm can't be Host, it's suppose to be the fqdn of the domain, like host/x1234.acme.com the realm is acme.com So create the realm acme.com, associate the domain to it and in the authentication source (AD) edit the authentication rule and remove Realm = host Next connect to the ssid and paste the packetfence.log and the radius.log file if it still doesn't work. Regards Fabrice Group Membership > is a member of > CN=Domain Computers,CN=Users,DC=xxxxx,DC=local Role > Default Access Duration > 1hr Username Attribute = servicePrincipalName On a domain device that is a member of Domain Computers, when I choose to join the wireless network it is prompting me for a username and password. Any ideas on how I can get the Domain Computer devices to auto join? Thanks a lot. Mike _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users