Hi Nicolas, That's correct. I'm able to authenticate and the node gets registered together with the user being created/updated via the portal, when using MAC based authentication. 802.1x also works when I disable 'reuse_dot1x_credentials' and enable 'autoregister'.
We would really like to get devices to unregister regularly, so that fingerprinting is more accurate as they interact with the web server. Herewith the logs when testing 802.1x without AUP & fingerprinting: Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] handling radius autz request: from switch_ip => (100.127.255.10), connection_type => Wireless-802.11-EAP,switch_mac => (6e:3b:6b:18:bc:0f), mac => [00:11:22:33:44:55], port => 0, username => "davidh", ssid => Company WiFi (pf::radius::authorize) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Instantiate profile Wireless_802.1x (pf::Connection::ProfileFactory::_from_profile) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Found authentication source(s) : 'companyad_users' for realm 'null' (pf::config::util::filter_authentication_sources) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Using sources companyad_users for matching (pf::authentication::match2) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) WARN: [mac:00:11:22:33:44:55] [companyad_users staff] Searching for (&(sAMAccountName=davidh)(memberOf=CN=company,OU=Company,OU=Security Groups,OU=Company,DC=ad,DC=company,DC=com)), from OU=Users,OU=Company,DC=ad,DC=company,DC=com, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Matched rule (staff) in source companyad_users, returning actions. (pf::Authentication::Source::match_rule) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Matched rule (staff) in source companyad_users, returning actions. (pf::Authentication::Source::match) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] handling radius autz request: from switch_ip => (100.127.255.10), connection_type => Wireless-802.11-EAP,switch_mac => (6e:3b:6b:18:bc:0f), mac => [00:11:22:33:44:55], port => 0, username => "davidh", ssid => Company WiFi (pf::radius::authorize) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Instantiate profile Wireless_802.1x (pf::Connection::ProfileFactory::_from_profile) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Found authentication source(s) : 'companyad_users' for realm 'null' (pf::config::util::filter_authentication_sources) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Using sources companyad_users for matching (pf::authentication::match2) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) WARN: [mac:00:11:22:33:44:55] [companyad_users staff] Searching for (&(sAMAccountName=davidh)(memberOf=CN=company,OU=Company,OU=Security Groups,OU=Company,DC=ad,DC=company,DC=com)), from OU=Users,OU=Company,DC=ad,DC=company,DC=com, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Matched rule (staff) in source companyad_users, returning actions. (pf::Authentication::Source::match_rule) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Matched rule (staff) in source companyad_users, returning actions. (pf::Authentication::Source::match) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Found authentication source(s) : 'companyad_users' for realm 'null' (pf::config::util::filter_authentication_sources) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Username was defined "davidh" - returning role 'staff' (pf::role::getRegisteredRole) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] PID: "davidh", Status: reg Returned VLAN: (undefined), Role: staff (pf::role::fetchRoleForNode) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) WARN: [mac:00:11:22:33:44:55] No parameter staffVlan found in conf/switches.conf for the switch 100.127.255.10 (pf::Switch::getVlanByName) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] (100.127.255.10) Returning ACCEPT with VLAN 0 and role (pf::Switch::Mikrotik::returnRadiusAccessAccept) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] security_event 1300003 force-closed for 00:11:22:33:44:55 (pf::security_event::security_event_force_close) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Instantiate profile Wireless_802.1x (pf::Connection::ProfileFactory::_from_profile) Jun 25 16:27:06 packetfence2 pfqueue: pfqueue(2531) INFO: [mac:unknown] Already did a person lookup for davidh (pf::lookup::person::lookup_person) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Found authentication source(s) : 'companyad_users' for realm 'null' (pf::config::util::filter_authentication_sources) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Role has already been computed and we don't want to recompute it. Getting role from node_info (pf::role::getRegisteredRole) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Username was defined "davidh" - returning role 'staff' (pf::role::getRegisteredRole) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] PID: "davidh", Status: reg Returned VLAN: (undefined), Role: staff (pf::role::fetchRoleForNode) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) WARN: [mac:00:11:22:33:44:55] No parameter staffVlan found in conf/switches.conf for the switch 100.127.255.10 (pf::Switch::getVlanByName) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] (100.127.255.10) Returning ACCEPT with VLAN 0 and role (pf::Switch::Mikrotik::returnRadiusAccessAccept) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] security_event 1300003 force-closed for 00:11:22:33:44:55 (pf::security_event::security_event_force_close) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Instantiate profile Wireless_802.1x (pf::Connection::ProfileFactory::_from_profile) Jun 25 16:27:06 packetfence2 packetfence_httpd.aaa: httpd.aaa(1998) INFO: [mac:00:11:22:33:44:55] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) Jun 25 16:27:06 packetfence2 pfqueue: pfqueue(2531) INFO: [mac:unknown] Already did a person lookup for davidh (pf::lookup::person::lookup_person) Regards David Herselman From: Quiniou-Briand, Nicolas <nquin...@akamai.com> Sent: Friday, 25 June 2021 2:34 PM To: David Herselman <d...@syrex.co>; packetfence-users@lists.sourceforge.net Subject: RE: 802.1x - You do not have permission to register a device with this username Hi David, 1. Based on latest emails, it looks like issue is not present when doing MAC authentication ? 2. Could you make a new test on 802.1X profile with reuse_dot1x_credentials setting disabled and autoregister setting enabled ? Important: with autoregister setting enabled, if authentication and authorization steps succeeded, nodes will be automatically registered. In your case, it means that users will not have to go on captive portal, they will be directly move on correct VLAN. Nicolas Quiniou-Briand Product Support Engineer [cid:image001.png@01D769DF.13504490] Office: +33156696210 Akamai Technologies 145 Broadway Cambridge, MA 02142 Connect with Us: [cid:image002.jpg@01D769DF.13504490]<https://community.akamai.com/> [cid:image003.png@01D769DF.13504490] <http://blogs.akamai.com/> [cid:image004.png@01D769DF.13504490] <https://twitter.com/akamai> [cid:image005.png@01D769DF.13504490] <http://www.facebook.com/AkamaiTechnologies> [cid:image006.png@01D769DF.13504490] <http://www.linkedin.com/company/akamai-technologies> [cid:image007.png@01D769DF.13504490] <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
