Hello Michael,
Le 20-07-06 à 10 h 37, Michael Brown a écrit :
Hey Fabrice,
Removed the Host realm, added the domain.local realm. I set this
realm to not strip on radius. Is that correct?
yes it 's ok
Still getting can't connect to this network on the test device.
Here are the two logs:
Radius.log (on the second attempt to join the ssid shown below I
unchecked verify the server's identity by validating the
certificate on the Windows machine)
Jul6 00:33:32 srv-pf-02 auth[29301]: Adding client 172.20.110.141/32
Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS
Alert read:fatal:unknown CA
Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR:
TLS_accept: Failed in error
Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: Failed
in __FUNCTION__ (SSL_read)
Jul6 00:33:33 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] Rejected
user: host/IT-VM-TEST.domain.local
Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) Login incorrect
(eap_peap: TLS Alert read:fatal:unknown CA): [host/IT-VM-TEST.
domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56)
Jul6 00:34:40 srv-pf-02 auth[29301]: (52087) Rejected in post-auth:
[host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1
cli 00:e0:4c:19:dd:56 via TLS tunnel)
It mean that it's rejected in packetfence and not in freeradius, so the
802.1x works.
Jul6 00:34:40 srv-pf-02 auth[29301]: (52087) Login incorrect:
[host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1
cli 00:e0:4c:19:dd:56 via TLS tunnel)
Jul6 00:34:40 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] Rejected
user: host/IT-VM-TEST. domain.local
Jul6 00:34:40 srv-pf-02 auth[29301]: (52088) Login incorrect
(eap_peap: The users session was previously rejected: returning reject
(again.)): [host/IT-VM-TEST. domain.local] (from client
172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56)
packetfence.log
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] Unable to extract audit-session-id for module
pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work.
Make sure you enable Vendor Specific Attributes (VSA) on the AP if you
want them to work. (pf::Switch::getCiscoAvPairAttribute)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip
=> (172.20.110.141), connection_type => Wireless-802.11-EAP,switch_mac
=> (92:18:98:40:47:69), mac => [00:e0:4c:19:dd:56], port => 1,
username => "host/IT-VM-TEST. domain.local", ssid => WIFI-EPS
(pf::radius::authorize)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] is doing machine auth with account
'host/IT-VM-TEST. domain.local'. (pf::radius::authorize)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Instantiate profile EPS-Wifi
(pf::Connection::ProfileFactory::_from_profile)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Found authentication source(s) :
'AD_Domain-Computers' for realm ' domain.local'
(pf::config::util::filter_authentication_sources)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Using sources AD_Domain-Computers for matching
(pf::authentication::match2)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] [AD_Domain-Computers Domain_Computers]
Searching for (servicePrincipalName=host/IT-VM-TEST. domain.local),
from DC= domain,DC=local, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] LDAP testing connection (pf::LDAP::expire_if)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Error binding: 'Connection reset by peer'
(pf::LDAP::log_error_msg)
Error binding, can you check from the source itself when you click on
test that it works ?
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] LDAP connection expired (pf::LDAP::expire_if)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] No rules matches or no category defined for
the node, set it as unreg. (pf::role::getNodeInfoForAutoReg)
There is no rules that matched in the AD_Domain-Computers, can you paste
the content of authentication.conf (remove sensible info).
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] No role specified or found for pid
host/IT-VM-TEST. domain.local (MAC 00:e0:4c:19:dd:56); assume maximum
number of registered nodes is reached (pf::node::is_max_reg_nodes_reached)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] no role computed by any sources - registration
of 00:e0:4c:19:dd:56 to host/IT-VM-TEST. domain.local failed
(pf::registration::setup_node_for_registration)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] auto-registration of node failed no role
computed by any sources (pf::radius::authorize)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Database query failed with non retryable
error: Cannot add or update a child row: a foreign key constraint
fails (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`)
REFERENCES `person` (`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE
CASCADE) (errno: 1452) [INSERT INTO `node` ( `autoreg`,
`bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`,
`computername`, `detect_date`, `device_class`, `device_manufacturer`,
`device_score`, `device_type`, `device_version`, `dhcp6_enterprise`,
`dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`,
`last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`,
`time_balance`, `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?,
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?,
?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?,
`last_seen` = NOW(), `machine_account` = ?, `pid` = ?, `tenant_id` =
?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0000-00-00 00:00:00,
0000-00-00 00:00:00, 0000-00-00 00:00:00, 00:e0:4c:19:dd:56,
host/IT-VM-TEST. domain.local, NULL, host/IT-VM-TEST. domain.local,
0000-00-00 00:00:00, NULL, unreg, 1, NULL, 0000-00-00 00:00:00, NULL,
no, yes, host/IT-VM-TEST. domain.local, host/IT-VM-TEST. domain.local,
1} (pf::dal::db_execute)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500)
(pf::radius::authorize)
Thanks.
Mike
Regards
Fabrice
On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via
PacketFence-users <packetfence-users@lists.sourceforge.net> wrote:
Hello Michael,
Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
Hi Guys,
I am trying to get machine authentication working so that if a machine
is a member of the Active Directory Domain Computers group it will
join wifi without prompting the user for anything.
The access points are all Meraki.
On packetfence I have the following:
Connection Profile
Automatically register devices is turned on
Connection Type = Wireless-802.11 EAP
Authentication Profile
Relam: Host
Realm can't be Host, it's suppose to be the fqdn of the domain, like
host/x1234.acme.com the realm is acme.com
So create the realm acme.com, associate the domain to it and in the
authentication source (AD) edit the authentication rule and remove
Realm = host
Next connect to the ssid and paste the packetfence.log and the
radius.log file if it still doesn't work.
Regards
Fabrice
Group Membership > is a member of > CN=Domain
Computers,CN=Users,DC=xxxxx,DC=local
Role > Default
Access Duration > 1hr
Username Attribute = servicePrincipalName
On a domain device that is a member of Domain Computers, when I
choose to join the wireless network it is prompting me for a username
and password.
Any ideas on how I can get the Domain Computer devices to auto join?
Thanks a lot.
Mike
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
