Hi Everyone,
Using EAP-TLS/certs, is it possible to authenticate a device based on what
Azure AD group they are in?
I am successfully authenticating users based on Azure AD group memberships with
user certificates but cannot seem to get this to work using a device
certificate. The device certificate I am using has the subject set to
CN={{AAD_Device_ID}}. I do not have any SANs set on the certificate. When
trying to connect on a client device I am getting the following:Aug 21 14:06:28
srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] handling radius autz request: from switch_ip =>
(10.20.10.28), connection_type => Wireless-802.11-EAP,switch_mac =>
(e0:cb:bc:91:85:df), mac => [98:59:7a:4c:39:b1], port => 1, username =>
"d1315df8-5850-48ec-8055-2801981948bb", ssid => Auth-Enterprise2
(pf::radius::authorize)
Aug 21 14:06:28 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] Instantiate profile Auth-Enterprise2
(pf::Connection::ProfileFactory::_from_profile)
Aug 21 14:06:28 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] Found authentication source(s) :
'Auth-Enterprise2_AzureAD,Catchall-Deny' for realm 'null'
(pf::config::util::filter_authentication_sources)
Aug 21 14:06:28 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] Using sources Auth-Enterprise2_AzureAD, Catchall-Deny
for matching (pf::authentication::match2)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) ERROR:
[mac:98:59:7a:4c:39:b1] Failed to obtain groups for
d1315df8-5850-48ec-8055-2801981948bb: 404 Not Found
(pf::Authentication::Source::AzureADSource::get_memberOf)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) ERROR:
[mac:98:59:7a:4c:39:b1] Failed to obtain groups for
d1315df8-5850-48ec-8055-2801981948bb: 404 Not Found
(pf::Authentication::Source::AzureADSource::get_memberOf)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] Matched rule (catchall) in source Catchall-Deny,
returning actions. (pf::Authentication::Source::match_rule)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] Matched rule (catchall) in source Catchall-Deny,
returning actions. (pf::Authentication::Source::match)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] Found authentication source(s) :
'Auth-Enterprise2_AzureAD,Catchall-Deny' for realm 'null'
(pf::config::util::filter_authentication_sources)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] Role has already been computed and we don't want to
recompute it. Getting role from node_info (pf::role::getRegisteredRole)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] Username was defined
"d1315df8-5850-48ec-8055-2801981948bb" - returning role 'REJECT'
(pf::role::getRegisteredRole)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] PID: "d1315df8-5850-48ec-8055-2801981948bb", Status:
reg Returned VLAN: (undefined), Role: REJECT (pf::role::fetchRoleForNode)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] According to rules in fetchRoleForNode this node must
be kicked out. Returning USERLOCK (pf::Switch::handleRadiusDeny)
Aug 21 14:06:29 srv-pf-01 httpd.aaa-docker-wrapper[3710]: httpd.aaa(7) INFO:
[mac:98:59:7a:4c:39:b1] security_event 1300003 force-closed for
98:59:7a:4c:39:b1 (pf::security_event::security_event_force_close)
The application in Azure is set with the following permissions on Microsoft
Graph:
Device.Read.AllDirectory.Read.AllGroupMember.Read.AllUser.Read
Thanks for your help
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
