Just wondering if there is any help that can be given to this issue or am I one of the first to do this and will have to blaze my own trail?
Is it possible to break this down into individual pieces that I can get some help with and then maybe we can have success. I am documenting what I'm trying so we can have a write-up on how to do this with Okta LDAP. Thanks On Wed, May 15, 2024 at 10:11 AM Brian Blater < brian.blater+packetfe...@digitalturbine.com> wrote: > New user to PacketFence. As our company is moving away from AD to Okta > for our IdP, I need to replace our Windows NPS for authenticating our > Wifi users. I've been posting on reddit in the r/PacketFence there, > but I understand this is the better place to get assistance. So I'm > going to try here. > > Here is what I have so far: > > I've created the realm for our domain. I have created a RADIUS > authentication source and associated it with the created realm. No > rules created at this time. I have also created an LDAP authentication > source to our Okta LDAP interface and associated that to our realm. > The test with the associated Bind DN is successful. I've tried > creating a rule using LDAP selecting member is member of > dn=Wireless_Users_Group,ou=groups,dc=domain,dc=okta,dc=com with action > Role - default and Access Duration - 1 day. > > Using ldap search as follows: > ldapsearch -D "uid=serv...@domain.com,ou=users, dc=domain, dc=okta, > dc=com" -W -H ldaps://domain.ldap.okta.com -b dc=domain,dc=okta,dc=com > uid=test...@domain.com \* + > This will list the various attributes of the user, but does not list > the groups the user is a member of. > > To list groups the user is a member of I can do the following ldap search: > > ldapsearch -x -H ldaps://domain.ldap.okta.com -D > "uid=serv...@domain.com,ou=users,dc=domain,dc=okta,dc=com" -W -b > dc=domain,dc=okta,dc=com uid=test...@domain.com memberOf > > This will show me a long list of groups the user is a member of in the > following format: > memberOf: cn=miro_users,ou=groups,dc=domain,dc=okta,dc=com > > This is different from the typical AD approach to getting memberOf. > > I get the following when doing a radtest: > > radtest u...@domain.com <password> localhost:18120 12 testing123 > Sent Access-Request Id 184 from 0.0.0.0:57241 to 127.0.0.1:18120 length > 106 > User-Name = "u...@domain.com" > User-Password = "<password>" > NAS-IP-Address = 127.0.1.1 > NAS-Port = 12 > Message-Authenticator = 0x00 > Cleartext-Password = "<password>" > > The above is repeated 3 times and then I get: > (0) No reply from server for ID 184 socket 3 > > Obviously Okta is not the usual IdP for RADIUS from what I can see and > their LDAP implementation may be a bit different. In my google > searches I see that players like SecureW2 using FreeRADIUS on the > backend are using SAML connectivity with Okta. I've configured a SAML > authentication source in PF, but that is as far as I've got so far. > > I tried to start PF FreeRADIUS in debug mode, but didn't have any > success. In System Configuration | Services I stopped radiusd and > radiusd-auth and tried using the following: freeradius -X -d > /usr/local/pf/raddb -n auth > That fails binding to status address of 127.0.0.1 port 18121: Address > already in use. So, not sure how to get debug mode working to see more > info on what is happening in RADIUS. > > At this point I'm pretty lost. Not sure what steps I'm missing in all > of this and have tried to follow documentation to set things up, but > I'm obviously missing some stuff. > > The goal is to get users to authenticate against Okta for Wifi access, > if they belong to a certain group. Then depending on that group assign > them the correct VLAN. We are using Unifi APs with a Unifi Cloud Key > and have that currently working in NPS. Just need to move it over to > PacketFence. > > Any assistance you can provide to get me working would be greatly > appreciated. > > Thanks, > Brian >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
