Re: [PacketFence-users] Machine Authentication

[Fabrice Durand via PacketFence-users]

Hello Michael,

good to know that it works.

Le 20-07-08 à 15 h 54, Michael Brown a écrit :
Hi Fabrice,

You were right.  As soon as I changed the Auth Source for Domain 
Computers to MemberOf is CN=Domain Computers,OU=Domain 
Groups,DC=eatontown,DC=local it worked the only caveat being that on 
the client I had to manually add the ssid and make sure I set to not 
check the certificate.

To eliminate the need to manually add the ssid to the client I created 
and imported a cert from our MSPKI by doing what is on page 215 of the 
Installation Guide and all good now.  The machines join no problem.  
The only thing is none of the settings I updated in the eap.conf file 
appear in the PacketFence Admin Web Portal.

Everything in the following sections are still showing what appeared 
before I made the changes to the eap.conf file.
System Configuration > Radius > EAP Profiles
System Configuration > Radius > TLS Profiles
System Configuration > SSL Certificates > Radius

In fact you just need to go in 
https://mgmt_ip:1443/admin/alt#/configuration/certificate/radius

https://172.20.20.86:1443/admin/alt#/configuration/certificate/http


Regards

Fabrice


Shouldn't the changes I made be reflected somewhere in the portal?

Thanks again for the help.



On Monday, July 6, 2020, 10:13:31 PM EDT, Durand fabrice 
<fdur...@inverse.ca> wrote:



Le 20-07-06 à 22 h 01, Michael Brown a écrit :
Hi Fabrice,

When I do a test from the AD_Domain-Computers Auth Source I get a 
green check.

Ok good.

Here is the authentication.conf

Thanks for the help.

# Copyright (C) Inverse inc.
[local]
description=Local Users
type=SQL

[file1]
description=Legacy Source
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
realms=null

[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL
status=enabled

[sms]
description=SMS-based registration
sms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128
type=SMS
create_local_account=no

[sms rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
allow_localdomain=yes
create_local_account=no

[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[sponsor]
description=Sponsor-based registration
type=SponsorEmail
allow_localdomain=yes
create_local_account=no

[sponsor rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
status=enabled

[null]
description=Null Source
type=Null
email_required=no
set_access_durations_action=

[null rule catchall]
action0=set_role=empty - None
status=enabled
match=all
class=authentication
action1=set_access_duration=1D
description=catchall

[AD-Faculty]
cache_match=0
read_timeout=10
realms=domain.org,null
basedn=OU=Domain_Users,DC=domain,DC=local
monitor=1
password=xxxxxxxxxx
shuffle=0
searchattributes=
set_access_durations_action=
scope=sub
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=1
binddn=CN=Admin\, PacketFence,OU=IT Utilty 
Accounts,OU=Domain_Users,DC=domain,DC=local
encryption=none
description=Active Directory - Faculty All
port=389
host=172.20.10.2
write_timeout=5
type=AD

[AD-Faculty rule Faculty_All]
action0=set_role=default
condition0=groupMembership,is member of,CN=Faculty - All,OU=Domain 
Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h

[AD_Domain-Computers]
cache_match=0
read_timeout=10
realms=domain.local
basedn=DC=domain,DC=local
monitor=1
password=xxxxxxxxxx
shuffle=0
searchattributes=
set_access_durations_action=
scope=sub
email_attribute=mail
usernameattribute=servicePrincipalName
connection_timeout=1
binddn=CN=Admin\, PacketFence,OU=IT Utilty 
Accounts,OU=Domain_Users,DC=domain,DC=local
encryption=none
description=Active Directory - Domain Computers
port=389
host=172.20.10.2
write_timeout=5
type=AD

[AD_Domain-Computers rule Domain_Computers]
action0=set_role=default
condition0=groupMembership,is member of,CN=Domain Computers,OU=Domain 
Groups,DC=domain,DC=local
status=enabled
match=all
class=authentication
action1=set_access_duration=1h

This one probably don't work (Domain_Computers) can you just test 
without condition ?

In fact if the dn of the computer is defined in the group then it's 
groupMembership is member of ....

If in the dn of the group is define in the computer object then it's 
memberof is ....

You can check that with adsiedit.msc or with advanced view in "users 
and computers"

regards

Fabrice


[EAPTLS rule Test]
action0=set_access_duration=1h
condition0=SSID,equals,WIFI-EPS
status=enabled
match=all
class=authentication
action1=set_role=guest



On Monday, July 6, 2020, 09:04:24 PM EDT, Durand fabrice 
<fdur...@inverse.ca> <mailto:fdur...@inverse.ca> wrote:


Hello Michael,


Le 20-07-06 à 10 h 37, Michael Brown a écrit :
Hey Fabrice,

Removed the Host realm, added the domain.local realm.  I set this 
realm to not strip on radius.  Is that correct?

yes it 's ok
Still getting can't connect to this network on the test device.

Here are the two logs:
Radius.log (on the second attempt to join the ssid shown below I 
unchecked verify the server's identity by validating the 
certificate on the Windows machine)

Jul6 00:33:32 srv-pf-02 auth[29301]: Adding client 172.20.110.141/32

Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS 
Alert read:fatal:unknown CA

Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: 
TLS_accept: Failed in error

Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: Failed 
in __FUNCTION__ (SSL_read)

Jul6 00:33:33 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] 
Rejected user: host/IT-VM-TEST.domain.local

Jul6 00:33:33 srv-pf-02 auth[29301]: (52074) Login incorrect 
(eap_peap: TLS Alert read:fatal:unknown CA): [host/IT-VM-TEST. 
domain.local] (from client 172.20.110.141/32 port 1 cli 
00:e0:4c:19:dd:56)
Jul6 00:34:40 srv-pf-02 auth[29301]: (52087) Rejected in post-auth: 
[host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 
1 cli 00:e0:4c:19:dd:56 via TLS tunnel)
It mean that it's rejected in packetfence and not in freeradius, so 
the 802.1x works.
Jul6 00:34:40 srv-pf-02 auth[29301]: (52087) Login incorrect: 
[host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 
1 cli 00:e0:4c:19:dd:56 via TLS tunnel)
Jul6 00:34:40 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] 
Rejected user: host/IT-VM-TEST. domain.local
Jul6 00:34:40 srv-pf-02 auth[29301]: (52088) Login incorrect 
(eap_peap: The users session was previously rejected: returning 
reject (again.)): [host/IT-VM-TEST. domain.local] (from client 
172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56)

packetfence.log

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: 
[mac:00:e0:4c:19:dd:56] Unable to extract audit-session-id for 
module pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't 
work. Make sure you enable Vendor Specific Attributes (VSA) on the 
AP if you want them to work. (pf::Switch::getCiscoAvPairAttribute)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: 
[mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip 
=> (172.20.110.141), connection_type => 
Wireless-802.11-EAP,switch_mac => (92:18:98:40:47:69), mac => 
[00:e0:4c:19:dd:56], port => 1, username => "host/IT-VM-TEST. 
domain.local", ssid => WIFI-EPS (pf::radius::authorize)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: 
[mac:00:e0:4c:19:dd:56] is doing machine auth with account 
'host/IT-VM-TEST. domain.local'. (pf::radius::authorize)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: 
[mac:00:e0:4c:19:dd:56] Instantiate profile EPS-Wifi 
(pf::Connection::ProfileFactory::_from_profile)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: 
[mac:00:e0:4c:19:dd:56] Found authentication source(s) : 
'AD_Domain-Computers' for realm ' domain.local' 
(pf::config::util::filter_authentication_sources)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: 
[mac:00:e0:4c:19:dd:56] Using sources AD_Domain-Computers for 
matching (pf::authentication::match2)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: 
[mac:00:e0:4c:19:dd:56] [AD_Domain-Computers Domain_Computers] 
Searching for (servicePrincipalName=host/IT-VM-TEST. domain.local), 
from DC= domain,DC=local, with scope sub 
(pf::Authentication::Source::LDAPSource::match_in_subclass)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: 
[mac:00:e0:4c:19:dd:56] LDAP testing connection (pf::LDAP::expire_if)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) 
ERROR: [mac:00:e0:4c:19:dd:56] Error binding: 'Connection reset by 
peer' (pf::LDAP::log_error_msg)

Error binding, can you check from the source itself when you click on 
test that it works ?

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: 
[mac:00:e0:4c:19:dd:56] LDAP connection expired (pf::LDAP::expire_if)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: 
[mac:00:e0:4c:19:dd:56] No rules matches or no category defined for 
the node, set it as unreg. (pf::role::getNodeInfoForAutoReg)

There is no rules that matched in the AD_Domain-Computers, can you 
paste the content of authentication.conf (remove sensible info).

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: 
[mac:00:e0:4c:19:dd:56] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: 
[mac:00:e0:4c:19:dd:56] No role specified or found for pid 
host/IT-VM-TEST. domain.local (MAC 00:e0:4c:19:dd:56); assume 
maximum number of registered nodes is reached 
(pf::node::is_max_reg_nodes_reached)
Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) 
ERROR: [mac:00:e0:4c:19:dd:56] no role computed by any sources - 
registration of 00:e0:4c:19:dd:56 to host/IT-VM-TEST. domain.local 
failed (pf::registration::setup_node_for_registration)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) 
ERROR: [mac:00:e0:4c:19:dd:56] auto-registration of node failed no 
role computed by any sources (pf::radius::authorize)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) 
ERROR: [mac:00:e0:4c:19:dd:56] Database query failed with non 
retryable error: Cannot add or update a child row: a foreign key 
constraint fails (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY 
(`tenant_id`, `pid`) REFERENCES `person` (`tenant_id`, `pid`) ON 
DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO `node` 
( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, 
`category_id`, `computername`, `detect_date`, `device_class`, 
`device_manufacturer`, `device_score`, `device_type`, 
`device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`, 
`dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, 
`last_seen`, `lastskip`, `mac`, `machine_account`, `notes`, `pid`, 
`regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, 
`unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, 
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?, `last_seen` = 
NOW(), `machine_account` = ?, `pid` = ?, `tenant_id` = ?]{yes, NULL, 
NULL, NULL, NULL, NULL, 2020-07-06 00:09:30, NULL, NULL, NULL, NULL, 
NULL, NULL, NULL, NULL, NULL, 0000-00-00 00:00:00, 0000-00-00 
00:00:00, 0000-00-00 00:00:00, 00:e0:4c:19:dd:56, host/IT-VM-TEST. 
domain.local, NULL, host/IT-VM-TEST. domain.local, 0000-00-00 
00:00:00, NULL, unreg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes, 
host/IT-VM-TEST. domain.local, host/IT-VM-TEST. domain.local, 1} 
(pf::dal::db_execute)

Jul6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) 
ERROR: [mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error 
(500) (pf::radius::authorize)


Thanks.
Mike

Regards

Fabrice



On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via 
PacketFence-users <packetfence-users@lists.sourceforge.net> 
<mailto:packetfence-users@lists.sourceforge.net> wrote:


Hello Michael,


Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
Hi Guys,

I am trying to get machine authentication working so that if a 
machine is a member of the Active Directory Domain Computers group 
it will join wifi without prompting the user for anything.

The access points are all Meraki.


On packetfence I have the following:
Connection Profile
Automatically register devices is turned on
Connection Type = Wireless-802.11 EAP

Authentication Profile
Relam: Host

Realm can't be Host, it's suppose to be the fqdn of the domain, like 
host/x1234.acme.com the realm is acme.com

So create the realm acme.com, associate the domain to it and in the 
authentication source (AD) edit the authentication rule and remove 
Realm = host

Next connect to the ssid and paste the packetfence.log and the 
radius.log file if it still doesn't work.

Regards

Fabrice


Group Membership > is a member of > CN=Domain 
Computers,CN=Users,DC=xxxxx,DC=local
Role > Default
Access Duration > 1hr
Username Attribute = servicePrincipalName


On a domain device that is a member of Domain Computers, when I 
choose to join the wireless network it is prompting me for a 
username and password.

Any ideas on how I can get the Domain Computer devices to auto join?

Thanks a lot.
Mike







_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users