Hi Fabrice,
You were right. As soon as I changed the Auth Source for Domain Computers to
MemberOf is CN=Domain Computers,OU=Domain Groups,DC=eatontown,DC=local it
worked the only caveat being that on the client I had to manually add the ssid
and make sure I set to not check the certificate.
To eliminate the need to manually add the ssid to the client I created and
imported a cert from our MSPKI by doing what is on page 215 of the Installation
Guide and all good now. The machines join no problem. The only thing is none
of the settings I updated in the eap.conf file appear in the PacketFence Admin
Web Portal.
Everything in the following sections are still showing what appeared before I
made the changes to the eap.conf file. System Configuration > Radius > EAP
Profiles System Configuration > Radius > TLS Profiles
System Configuration > SSL Certificates > Radius
Shouldn't the changes I made be reflected somewhere in the portal?
Thanks again for the help.
On Monday, July 6, 2020, 10:13:31 PM EDT, Durand fabrice
<fdur...@inverse.ca> wrote:
Le 20-07-06 à 22 h 01, Michael Brown a écrit :
Hi Fabrice,
When I do a test from the AD_Domain-Computers Auth Source I get a green
check.
Ok good.
Here is the authentication.conf
Thanks for the help.
# Copyright (C) Inverse inc. [local] description=Local Users type=SQL
[file1] description=Legacy Source path=/usr/local/pf/conf/admin.conf
type=Htpasswd realms=null
[file1 rule admins] description=All admins class=administration match=all
action0=set_access_level=ALL status=enabled
[sms] description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128
type=SMS create_local_account=no
[sms rule catchall] description= class=authentication match=all
action0=set_role=guest action1=set_access_duration=1D status=enabled
[email] description=Email-based registration email_activation_timeout=10m
type=Email allow_localdomain=yes create_local_account=no
[email rule catchall] description= class=authentication match=all
action0=set_role=guest action1=set_access_duration=1D status=enabled
[sponsor] description=Sponsor-based registration type=SponsorEmail
allow_localdomain=yes create_local_account=no
[sponsor rule catchall] description= class=authentication match=all
action0=set_role=guest action1=set_access_duration=1D status=enabled
[null] description=Null Source type=Null email_required=no
set_access_durations_action=
[null rule catchall] action0=set_role=empty - None status=enabled match=all
class=authentication action1=set_access_duration=1D description=catchall
[AD-Faculty] cache_match=0 read_timeout=10 realms=domain.org,null
basedn=OU=Domain_Users,DC=domain,DC=local monitor=1 password=xxxxxxxxxx
shuffle=0 searchattributes= set_access_durations_action= scope=sub
email_attribute=mail usernameattribute=sAMAccountName connection_timeout=1
binddn=CN=Admin\, PacketFence,OU=IT Utilty
Accounts,OU=Domain_Users,DC=domain,DC=local encryption=none description=Active
Directory - Faculty All port=389 host=172.20.10.2 write_timeout=5 type=AD
[AD-Faculty rule Faculty_All] action0=set_role=default
condition0=groupMembership,is member of,CN=Faculty - All,OU=Domain
Groups,DC=domain,DC=local status=enabled match=all class=authentication
action1=set_access_duration=1h
[AD_Domain-Computers] cache_match=0 read_timeout=10 realms=domain.local
basedn=DC=domain,DC=local monitor=1 password=xxxxxxxxxx shuffle=0
searchattributes= set_access_durations_action= scope=sub email_attribute=mail
usernameattribute=servicePrincipalName connection_timeout=1 binddn=CN=Admin\,
PacketFence,OU=IT Utilty Accounts,OU=Domain_Users,DC=domain,DC=local
encryption=none description=Active Directory - Domain Computers port=389
host=172.20.10.2 write_timeout=5 type=AD
[AD_Domain-Computers rule Domain_Computers] action0=set_role=default
condition0=groupMembership,is member of,CN=Domain Computers,OU=Domain
Groups,DC=domain,DC=local status=enabled match=all class=authentication
action1=set_access_duration=1h
This one probably don't work (Domain_Computers) can you just test without
condition ?
In fact if the dn of the computer is defined in the group then it's
groupMembership is member of ....
If in the dn of the group is define in the computer object then it's memberof
is ....
You can check that with adsiedit.msc or with advanced view in "users and
computers"
regards
Fabrice
[EAPTLS rule Test] action0=set_access_duration=1h
condition0=SSID,equals,WIFI-EPS status=enabled match=all class=authentication
action1=set_role=guest
On Monday, July 6, 2020, 09:04:24 PM EDT, Durand fabrice
<fdur...@inverse.ca> wrote:
Hello Michael,
Le 20-07-06 à 10 h 37, Michael Brown a écrit :
Hey Fabrice,
Removed the Host realm, added the domain.local realm. I set this realm to
not strip on radius. Is that correct?
yes it 's ok
Still getting can't connect to this network on the test device.
Here are the two logs: Radius.log (on the second attempt to join the ssid
shown below I unchecked verify the server's identity by validating the
certificate on the Windows machine)
Jul 6 00:33:32 srv-pf-02 auth[29301]: Adding client 172.20.110.141/32
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS Alert
read:fatal:unknown CA
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS_accept:
Failed in error
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: Failed in
__FUNCTION__ (SSL_read)
Jul 6 00:33:33 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] Rejected user:
host/IT-VM-TEST.domain.local
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) Login incorrect (eap_peap: TLS
Alert read:fatal:unknown CA): [host/IT-VM-TEST. domain.local] (from client
172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56) Jul 6 00:34:40 srv-pf-02
auth[29301]: (52087) Rejected in post-auth: [host/IT-VM-TEST. domain.local]
(from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56 via TLS tunnel)
It mean that it's rejected in packetfence and not in freeradius, so the 802.1x
works.
Jul 6 00:34:40 srv-pf-02 auth[29301]: (52087) Login incorrect:
[host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1 cli
00:e0:4c:19:dd:56 via TLS tunnel) Jul 6 00:34:40 srv-pf-02 auth[29301]:
[mac:00:e0:4c:19:dd:56] Rejected user: host/IT-VM-TEST. domain.local Jul 6
00:34:40 srv-pf-02 auth[29301]: (52088) Login incorrect (eap_peap: The users
session was previously rejected: returning reject (again.)): [host/IT-VM-TEST.
domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56)
packetfence.log
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] Unable to extract audit-session-id for module
pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. Make sure
you enable Vendor Specific Attributes (VSA) on the AP if you want them to work.
(pf::Switch::getCiscoAvPairAttribute)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip =>
(172.20.110.141), connection_type => Wireless-802.11-EAP,switch_mac =>
(92:18:98:40:47:69), mac => [00:e0:4c:19:dd:56], port => 1, username =>
"host/IT-VM-TEST. domain.local", ssid => WIFI-EPS (pf::radius::authorize) Jul
6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] is doing machine auth with account 'host/IT-VM-TEST.
domain.local'. (pf::radius::authorize)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Instantiate profile EPS-Wifi
(pf::Connection::ProfileFactory::_from_profile)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Found authentication source(s) : 'AD_Domain-Computers'
for realm ' domain.local'(pf::config::util::filter_authentication_sources)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Using sources AD_Domain-Computers for matching
(pf::authentication::match2)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] [AD_Domain-Computers Domain_Computers] Searching for
(servicePrincipalName=host/IT-VM-TEST. domain.local), from DC= domain,DC=local,
with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] LDAP testing connection (pf::LDAP::expire_if)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Error binding: 'Connection reset by peer'
(pf::LDAP::log_error_msg)
Error binding, can you check from the source itself when you click on test
that it works ?
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] LDAP connection expired (pf::LDAP::expire_if)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] No rules matches or no category defined for the node,
set it as unreg. (pf::role::getNodeInfoForAutoReg)
There is no rules that matched in the AD_Domain-Computers, can you paste the
content of authentication.conf (remove sensible info).
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] No role specified or found for pid host/IT-VM-TEST.
domain.local (MAC 00:e0:4c:19:dd:56); assume maximum number of registered nodes
is reached (pf::node::is_max_reg_nodes_reached) Jul 6 00:34:40 srv-pf-02
packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] no role
computed by any sources - registration of 00:e0:4c:19:dd:56 to host/IT-VM-TEST.
domain.local failed (pf::registration::setup_node_for_registration)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] auto-registration of node failed no role computed by
any sources (pf::radius::authorize)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Database query failed with non retryable error: Cannot
add or update a child row: a foreign key constraint fails (`pf`.`node`,
CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES `person`
(`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT
INTO `node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
`category_id`, `computername`, `detect_date`, `device_class`,
`device_manufacturer`, `device_score`, `device_type`, `device_version`,
`dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`,
`last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`,
`unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE
KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `machine_account` = ?, `pid` =
?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0000-00-00 00:00:00,
0000-00-00 00:00:00, 0000-00-00 00:00:00, 00:e0:4c:19:dd:56, host/IT-VM-TEST.
domain.local, NULL, host/IT-VM-TEST. domain.local, 0000-00-00 00:00:00, NULL,
unreg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes, host/IT-VM-TEST.
domain.local, host/IT-VM-TEST. domain.local, 1} (pf::dal::db_execute)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500)
(pf::radius::authorize)
Thanks. Mike
Regards
Fabrice
On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via
PacketFence-users <packetfence-users@lists.sourceforge.net> wrote:
Hello Michael,
Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
Hi Guys,
I am trying to get machine authentication working so that if a machine is a
member of the Active Directory Domain Computers group it will join wifi without
prompting the user for anything.
The access points are all Meraki.
On packetfence I have the following: Connection Profile Automatically
register devices is turned on Connection Type = Wireless-802.11 EAP
Authentication Profile Relam: Host
Realm can't be Host, it's suppose to be the fqdn of the domain, like
host/x1234.acme.com the realm is acme.com
So create the realm acme.com, associate the domain to it and in the
authentication source (AD) edit the authentication rule and remove Realm = host
Next connect to the ssid and paste the packetfence.log and the radius.log file
if it still doesn't work.
Regards
Fabrice
Group Membership > is a member of >
CN=DomainComputers,CN=Users,DC=xxxxx,DC=local Role > Default Access Duration >
1hr Username Attribute = servicePrincipalName
On a domain device that is a member of Domain Computers, when I choose to
join the wireless network it is prompting me for a username and password.
Any ideas on how I can get the Domain Computer devices to auto join?
Thanks a lot. Mike
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
