Yes i know, i did the code for that.
Btw you can use any kind of ldap attributes.
Le 20-11-30 à 16 h 25, Eric Schubert a écrit :
Thanks, Fabrice. This worked perfectly.
Eric Schubert
------------------------------------------------------------------------
*From:* Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net>
*Sent:* Wednesday, November 25, 2020 8:21 PM
*To:* packetfence-users@lists.sourceforge.net
<packetfence-users@lists.sourceforge.net>
*Cc:* Durand fabrice <fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] PF ZEN 10.2.0 - Authenticate with
Active Directory using email address
Hello Eric,
in the Ad authentication source add search attributes (UserPrincipalName)
then in the realm config (the DEFAULT one) enable "Custom attributes"
and select your AD source.
Then you need to restart radius.
Regards
Fabrice
Le 20-11-24 à 21 h 29, Eric Schubert via PacketFence-users a écrit :
Hello,
I've been experimenting with PacketFence for NAC for a couple weeks
now. We're running ZEN, updated to PF 10.2.0 yesterday. Based on
endless threads on various forums, it would appear we're not the only
outfit looking to use email addresses for authentication. For the
life of me, I can't figure out how to configure authentication
against Active Directory using UserPrincipalName, mail, or any
attribute other than sAMAccountName. I've tried AD and LDAP and what
feels like a million combination of settings experiments. I followed
the installation instructions to a tee. Authentication using
sAMAccountName works fine, drops me in the right VLAN, registers my
device, etc. When I try an email address (associated with the same
sAMAccountName) with known-to-be-correct password, authentication
fails with the following:
Module-Failure-Message = "chrooted_mschap: Program returned code (1)
and output 'The attempted logon is invalid. This is either due to a
bad username or authentication information. (0xc000006d)'"
Module-Failure-Message = "chrooted_mschap: External script says: The
attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)"
Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is
incorrect"
Occasionally (and I say "occasionally" because it's not consistent
behavior), authentication seems to be successful via email address;
I'm greeted with a certificate I trust, then a message on the user
device (iOS 14.1) saying "Unable to join the network". I then try
immediately after with the same credentials and am greeted with only
the "Unable to join the network" message. If I try with just
sAMAccountName, no problem.
At one point, the user created in PF after successful authentication
even brought over attributes from AD properly. I deleted the user so
I could try authenticating with email address again, but those
attributes no longer populate, even using sAMAccountName. That only
happened once out of 100+ authentication tests.
Is there any firm documentation or an example config that I can
reference to set up Active Directory authentication using something
other than sAMAccountName that doesn't require manually modifying
files? I'd prefer to control the config via built-in GUI features so
as not to have to re-create changes if they're wiped out during updates.
Thank you,
Eric Schubert
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
