Here is the authentication.conf
Thanks for the help.
# Copyright (C) Inverse inc.
[local]
description=Local Users
type=SQL
[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
realms=null
[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL
status=enabled
[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128
type=SMS
create_local_account=no
[sms rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled
[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
allow_localdomain=yes
create_local_account=no
[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled
[sponsor]
description=Sponsor-based registration
type=SponsorEmail
allow_localdomain=yes
create_local_account=no
[sponsor rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled
[null]
description=Null Source
type=Null
email_required=no
set_access_durations_action=
[null rule catchall]
action0=set_role=empty - None
status=enabled
match=all
class=authentication
action1=set_access_duration=1D
description=catchall
[AD-Faculty]
cache_match=0
read_timeout=10
realms=domain.org,null
basedn=OU=Domain_Users,DC=domain,DC=local
monitor=1
password=xxxxxxxxxx
shuffle=0
searchattributes=
set_access_durations_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=1
binddn=CN=Admin\, PacketFence,OU=IT Utilty
Accounts,OU=Domain_Users,DC=domain,DC=local
encryption=none
description=Active Directory - Faculty All
port=389
host=172.20.10.2
write_timeout=5
type=AD
[AD-Faculty rule Faculty_All]
action0=set_role=default
condition0=groupMembership,is member of,CN=Faculty - All,OU=Domain
Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h
[AD_Domain-Computers]
cache_match=0
read_timeout=10
realms=domain.local
basedn=DC=domain,DC=local
monitor=1
password=xxxxxxxxxx
shuffle=0
searchattributes=
set_access_durations_action=
scope=sub
email_attribute=mail
usernameattribute=servicePrincipalName
connection_timeout=1
binddn=CN=Admin\, PacketFence,OU=IT Utilty
Accounts,OU=Domain_Users,DC=domain,DC=local
encryption=none
description=Active Directory - Domain Computers
port=389
host=172.20.10.2
write_timeout=5
type=AD
[AD_Domain-Computers rule Domain_Computers]
action0=set_role=default
condition0=groupMembership,is member of,CN=Domain Computers,OU=Domain
Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h
[EAPTLS rule Test]
action0=set_access_duration=1h
condition0=SSID,equals,WIFI-EPS
status=enabled
match=all
class=authentication
action1=set_role=guest
On Monday, July 6, 2020, 09:04:24 PM EDT, Durand fabrice
<fdur...@inverse.ca> <mailto:fdur...@inverse.ca> wrote:
Hello Michael,
Le 20-07-06 à 10 h 37, Michael Brown a écrit :
Hey Fabrice,
Removed the Host realm, added the domain.local realm. I set this
realm to not strip on radius. Is that correct?
yes it 's ok
Still getting can't connect to this network on the test device.
Here are the two logs:
Radius.log (on the second attempt to join the ssid shown below I
unchecked verify the server's identity by validating the
certificate on the Windows machine)
Jul6 00:33:32 srv-pf-02 auth[29301]: Adding client 172.20.110.141/32
Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS
Alert read:fatal:unknown CA
Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR:
TLS_accept: Failed in error
Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: Failed
in __FUNCTION__ (SSL_read)
Jul6 00:33:33 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56]
Rejected user: host/IT-VM-TEST.domain.local
Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) Login incorrect
(eap_peap: TLS Alert read:fatal:unknown CA): [host/IT-VM-TEST.
domain.local] (from client 172.20.110.141/32 port 1 cli
00:e0:4c:19:dd:56)
Jul6 00:34:40 srv-pf-02 auth[29301]: (52087) Rejected in post-auth:
[host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port
1 cli 00:e0:4c:19:dd:56 via TLS tunnel)
It mean that it's rejected in packetfence and not in freeradius, so
the 802.1x works.
Jul6 00:34:40 srv-pf-02 auth[29301]: (52087) Login incorrect:
[host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port
1 cli 00:e0:4c:19:dd:56 via TLS tunnel)
Jul6 00:34:40 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56]
Rejected user: host/IT-VM-TEST. domain.local
Jul6 00:34:40 srv-pf-02 auth[29301]: (52088) Login incorrect
(eap_peap: The users session was previously rejected: returning
reject (again.)): [host/IT-VM-TEST. domain.local] (from client
172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56)
packetfence.log
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] Unable to extract audit-session-id for
module pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't
work. Make sure you enable Vendor Specific Attributes (VSA) on the
AP if you want them to work. (pf::Switch::getCiscoAvPairAttribute)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip
=> (172.20.110.141), connection_type =>
Wireless-802.11-EAP,switch_mac => (92:18:98:40:47:69), mac =>
[00:e0:4c:19:dd:56], port => 1, username => "host/IT-VM-TEST.
domain.local", ssid => WIFI-EPS (pf::radius::authorize)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] is doing machine auth with account
'host/IT-VM-TEST. domain.local'. (pf::radius::authorize)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Instantiate profile EPS-Wifi
(pf::Connection::ProfileFactory::_from_profile)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Found authentication source(s) :
'AD_Domain-Computers' for realm ' domain.local'
(pf::config::util::filter_authentication_sources)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Using sources AD_Domain-Computers for
matching (pf::authentication::match2)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] [AD_Domain-Computers Domain_Computers]
Searching for (servicePrincipalName=host/IT-VM-TEST. domain.local),
from DC= domain,DC=local, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] LDAP testing connection (pf::LDAP::expire_if)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907)
ERROR: [mac:00:e0:4c:19:dd:56] Error binding: 'Connection reset by
peer' (pf::LDAP::log_error_msg)
Error binding, can you check from the source itself when you click on
test that it works ?
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] LDAP connection expired (pf::LDAP::expire_if)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] No rules matches or no category defined for
the node, set it as unreg. (pf::role::getNodeInfoForAutoReg)
There is no rules that matched in the AD_Domain-Computers, can you
paste the content of authentication.conf (remove sensible info).
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] No role specified or found for pid
host/IT-VM-TEST. domain.local (MAC 00:e0:4c:19:dd:56); assume
maximum number of registered nodes is reached
(pf::node::is_max_reg_nodes_reached)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907)
ERROR: [mac:00:e0:4c:19:dd:56] no role computed by any sources -
registration of 00:e0:4c:19:dd:56 to host/IT-VM-TEST. domain.local
failed (pf::registration::setup_node_for_registration)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907)
ERROR: [mac:00:e0:4c:19:dd:56] auto-registration of node failed no
role computed by any sources (pf::radius::authorize)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907)
ERROR: [mac:00:e0:4c:19:dd:56] Database query failed with non
retryable error: Cannot add or update a child row: a foreign key
constraint fails (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY
(`tenant_id`, `pid`) REFERENCES `person` (`tenant_id`, `pid`) ON
DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO `node`
( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
`category_id`, `computername`, `detect_date`, `device_class`,
`device_manufacturer`, `device_score`, `device_type`,
`device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`,
`dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`,
`last_seen`, `lastskip`, `mac`, `machine_account`, `notes`, `pid`,
`regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`,
`unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?, `last_seen` =
NOW(), `machine_account` = ?, `pid` = ?, `tenant_id` = ?]{yes, NULL,
NULL, NULL, NULL, NULL, 2020-07-06 00:09:30, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, 0000-00-00 00:00:00, 0000-00-00
00:00:00, 0000-00-00 00:00:00, 00:e0:4c:19:dd:56, host/IT-VM-TEST.
domain.local, NULL, host/IT-VM-TEST. domain.local, 0000-00-00
00:00:00, NULL, unreg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes,
host/IT-VM-TEST. domain.local, host/IT-VM-TEST. domain.local, 1}
(pf::dal::db_execute)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907)
ERROR: [mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error
(500) (pf::radius::authorize)
Thanks.
Mike
Regards
Fabrice
On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via
PacketFence-users <packetfence-users@lists.sourceforge.net>
<mailto:packetfence-users@lists.sourceforge.net> wrote:
Hello Michael,
Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
Hi Guys,
I am trying to get machine authentication working so that if a
machine is a member of the Active Directory Domain Computers group
it will join wifi without prompting the user for anything.
The access points are all Meraki.
On packetfence I have the following:
Connection Profile
Automatically register devices is turned on
Connection Type = Wireless-802.11 EAP
Authentication Profile
Relam: Host
Realm can't be Host, it's suppose to be the fqdn of the domain, like
host/x1234.acme.com the realm is acme.com
So create the realm acme.com, associate the domain to it and in the
authentication source (AD) edit the authentication rule and remove
Realm = host
Next connect to the ssid and paste the packetfence.log and the
radius.log file if it still doesn't work.
Regards
Fabrice
Group Membership > is a member of > CN=Domain
Computers,CN=Users,DC=xxxxx,DC=local
Role > Default
Access Duration > 1hr
Username Attribute = servicePrincipalName
On a domain device that is a member of Domain Computers, when I
choose to join the wireless network it is prompting me for a
username and password.
Any ideas on how I can get the Domain Computer devices to auto join?
Thanks a lot.
Mike
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users