Re: [PacketFence-users] Assistance with AD dot1x
This is great, thank you, Fabrice ! I may be special or spellbound to all sort of bumps on the deployment road but nothing works to me from the first time. Now my realm associated with AD works nicely. Eugene From: Fabrice Durand via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Sent: Monday, January 08, 2018 6:49 AM To: packetfence-users@lists.sourceforge.net Cc: Fabrice Durand Subject: Re: [PacketFence-users] Assistance with AD dot1x Hello All, just to clarify some points. First realmd can't be used because we have to use ntlm_auth in Freeradius to authenticate user for eap/peap mschap v2. Next, Configuration → Policies and Access Control → Domains → Active Directory Domains – Add Domain is only to join the machine to a windows domain (it create a chroot for each domains). Configuration → Policies and Access Control → Domains → Realms is to associate a realm to a windows domain, it mean that if the username is b...@acme.edu then if there is a realm define for acme.edu then it will use the domain associated to it to validate the credentials (In Freeradius). Don't forget that the username can be ACME\bob , so you will need to create a realm ACME too. Last thing, in Configuration → Policies and Access Control → Authentication Sources (Type Internal) when you define a realm associated to a source (like acme.edu) then it mean that if you use on the portal or for 802.1x auto registration a username like b...@acme.edu then PacketFence will use it (you can strip the username if needed in the source). Regards Fabrice Le 2018-01-07 à 19:32, E.P. via PacketFence-users a écrit : I’m curious, did you create a new realm or used the default one and linked it to AD ? I tried to create a new realm and it is placed in the end of the list and the authentication never reached it. It only worked to me if I link the default realm to AD Eugene From: j...@momentumvr.co.uk [mailto:j...@momentumvr.co.uk] Sent: Sunday, January 07, 2018 5:18 AM To: 'E.P.'; packetfence-users@lists.sourceforge.net Subject: RE: [PacketFence-users] Assistance with AD dot1x Thanks for that Eugene, I will take a look at that log tomorrow morning. The issue is when we try to add the domain via domains>active directory domains>add domain. Strangely connecting via realmd works without issue every time. John From: E.P. [mailto:ype...@gmail.com] Sent: 05 January 2018 19:32 To: packetfence-users@lists.sourceforge.net Cc: j...@momentumvr.co.uk Subject: RE: [PacketFence-users] Assistance with AD dot1x Hi John, I still have a fresh experience with configuring AD in PF and it worked to me from the first try. Just to understand it clearly, you can’t complete the configuration if you add the source, i.e. >From the Configuration → Policies and Access Control → Authentication Sources, >Add source → Internal - AD. Or it is failing on adding the domain, i.e. Configuration → Policies and Access Control → Domains → Active Directory Domains – Add Domain And of course, as it is stated in the admin guide I’d go chechking this file for any clues: /chroots//var/log/samba/log.winbindd. Replace with the identifier you set in the domain configuration. Eugene From: john--- via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Sent: Friday, January 05, 2018 5:00 AM To: packetfence-users@lists.sourceforge.net Cc: j...@momentumvr.co.uk Subject: [PacketFence-users] Assistance with AD dot1x Good afternoon everyone, We are currently working with PF7.3 on Centos 7 and no matter what we do we cannot get AD to complete configuration, it simply returns “Null” so obviously fails. When we use realmd it works fine. My question initially is, does this affect dot1x authentication via AD if we complete this only using realmd and not the configuration panel AD connection method? As always your help is greatly appreciated. John -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Assistance with AD dot1x
Hello All, just to clarify some points. First realmd can't be used because we have to use ntlm_auth in Freeradius to authenticate user for eap/peap mschap v2. Next, Configuration → Policies and Access Control → Domains → Active Directory Domains – Add Domain is only to join the machine to a windows domain (it create a chroot for each domains). Configuration → Policies and Access Control → Domains → Realms is to associate a realm to a windows domain, it mean that if the username is b...@acme.edu then if there is a realm define for acme.edu then it will use the domain associated to it to validate the credentials (In Freeradius). Don't forget that the username can be ACME\bob , so you will need to create a realm ACME too. Last thing, in Configuration → Policies and Access Control → Authentication Sources (Type Internal) when you define a realm associated to a source (like acme.edu) then it mean that if you use on the portal or for 802.1x auto registration a username like b...@acme.edu then PacketFence will use it (you can strip the username if needed in the source). Regards Fabrice Le 2018-01-07 à 19:32, E.P. via PacketFence-users a écrit : > > I’m curious, did you create a new realm or used the default one and > linked it to AD ? > > I tried to create a new realm and it is placed in the end of the list > and the authentication never reached it. > > It only worked to me if I link the default realm to AD > > > > Eugene > > > > *From:*j...@momentumvr.co.uk [mailto:j...@momentumvr.co.uk] > *Sent:* Sunday, January 07, 2018 5:18 AM > *To:* 'E.P.'; packetfence-users@lists.sourceforge.net > *Subject:* RE: [PacketFence-users] Assistance with AD dot1x > > > > Thanks for that Eugene, I will take a look at that log tomorrow > morning. The issue is when we try to add the domain via domains>active > directory domains>add domain. Strangely connecting via realmd works > without issue every time. > > > > John > > > > *From:*E.P. [mailto:ype...@gmail.com] > *Sent:* 05 January 2018 19:32 > *To:* packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > *Cc:* j...@momentumvr.co.uk <mailto:j...@momentumvr.co.uk> > *Subject:* RE: [PacketFence-users] Assistance with AD dot1x > > > > Hi John, > > I still have a fresh experience with configuring AD in PF and it > worked to me from the first try. > > Just to understand it clearly, you can’t complete the configuration if > you add the source, i.e. > > From the *Configuration → Policies and Access Control → Authentication > Sources*, *Add source → Internal - AD*. > > Or it is failing on adding the domain, i.e. > > *Configuration → Policies and Access Control → Domains → Active > Directory Domains – Add Domain*** > > * * > > |And of course, as it is stated in the admin guide I’d go chechking > this file for any clues:||| > > | | > > |/chroots//var/log/samba/log.winbindd|. > Replace || with the identifier you set in the domain > configuration.** > > > > Eugene > > > > *From:*john--- via PacketFence-users > [mailto:packetfence-users@lists.sourceforge.net] > *Sent:* Friday, January 05, 2018 5:00 AM > *To:* packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > *Cc:* j...@momentumvr.co.uk <mailto:j...@momentumvr.co.uk> > *Subject:* [PacketFence-users] Assistance with AD dot1x > > > > Good afternoon everyone, > > > > We are currently working with PF7.3 on Centos 7 and no matter what we > do we cannot get AD to complete configuration, it simply returns > “Null” so obviously fails. When we use realmd it works fine. My > question initially is, does this affect dot1x authentication via AD if > we complete this only using realmd and not the configuration panel AD > connection method? As always your help is greatly appreciated. > > > > John > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Assistance with AD dot1x
Thanks for that Eugene, I will take a look at that log tomorrow morning. The issue is when we try to add the domain via domains>active directory domains>add domain. Strangely connecting via realmd works without issue every time. John From: E.P. [mailto:ype...@gmail.com] Sent: 05 January 2018 19:32 To: packetfence-users@lists.sourceforge.net Cc: j...@momentumvr.co.uk Subject: RE: [PacketFence-users] Assistance with AD dot1x Hi John, I still have a fresh experience with configuring AD in PF and it worked to me from the first try. Just to understand it clearly, you can’t complete the configuration if you add the source, i.e. >From the Configuration → Policies and Access Control → Authentication Sources, >Add source → Internal - AD. Or it is failing on adding the domain, i.e. Configuration → Policies and Access Control → Domains → Active Directory Domains – Add Domain And of course, as it is stated in the admin guide I’d go chechking this file for any clues: /chroots//var/log/samba/log.winbindd. Replace with the identifier you set in the domain configuration. Eugene From: john--- via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Sent: Friday, January 05, 2018 5:00 AM To: packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Cc: j...@momentumvr.co.uk <mailto:j...@momentumvr.co.uk> Subject: [PacketFence-users] Assistance with AD dot1x Good afternoon everyone, We are currently working with PF7.3 on Centos 7 and no matter what we do we cannot get AD to complete configuration, it simply returns “Null” so obviously fails. When we use realmd it works fine. My question initially is, does this affect dot1x authentication via AD if we complete this only using realmd and not the configuration panel AD connection method? As always your help is greatly appreciated. John -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Assistance with AD dot1x
I’m curious, did you create a new realm or used the default one and linked it to AD ? I tried to create a new realm and it is placed in the end of the list and the authentication never reached it. It only worked to me if I link the default realm to AD Eugene From: j...@momentumvr.co.uk [mailto:j...@momentumvr.co.uk] Sent: Sunday, January 07, 2018 5:18 AM To: 'E.P.'; packetfence-users@lists.sourceforge.net Subject: RE: [PacketFence-users] Assistance with AD dot1x Thanks for that Eugene, I will take a look at that log tomorrow morning. The issue is when we try to add the domain via domains>active directory domains>add domain. Strangely connecting via realmd works without issue every time. John From: E.P. [mailto:ype...@gmail.com] Sent: 05 January 2018 19:32 To: packetfence-users@lists.sourceforge.net Cc: j...@momentumvr.co.uk Subject: RE: [PacketFence-users] Assistance with AD dot1x Hi John, I still have a fresh experience with configuring AD in PF and it worked to me from the first try. Just to understand it clearly, you can’t complete the configuration if you add the source, i.e. >From the Configuration → Policies and Access Control → Authentication Sources, >Add source → Internal - AD. Or it is failing on adding the domain, i.e. Configuration → Policies and Access Control → Domains → Active Directory Domains – Add Domain And of course, as it is stated in the admin guide I’d go chechking this file for any clues: /chroots//var/log/samba/log.winbindd. Replace with the identifier you set in the domain configuration. Eugene From: john--- via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Sent: Friday, January 05, 2018 5:00 AM To: packetfence-users@lists.sourceforge.net Cc: j...@momentumvr.co.uk Subject: [PacketFence-users] Assistance with AD dot1x Good afternoon everyone, We are currently working with PF7.3 on Centos 7 and no matter what we do we cannot get AD to complete configuration, it simply returns “Null” so obviously fails. When we use realmd it works fine. My question initially is, does this affect dot1x authentication via AD if we complete this only using realmd and not the configuration panel AD connection method? As always your help is greatly appreciated. John -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Assistance with AD dot1x
Hi John, I still have a fresh experience with configuring AD in PF and it worked to me from the first try. Just to understand it clearly, you can’t complete the configuration if you add the source, i.e. >From the Configuration → Policies and Access Control → Authentication Sources, >Add source → Internal - AD. Or it is failing on adding the domain, i.e. Configuration → Policies and Access Control → Domains → Active Directory Domains – Add Domain And of course, as it is stated in the admin guide I’d go chechking this file for any clues: /chroots//var/log/samba/log.winbindd. Replace with the identifier you set in the domain configuration. Eugene From: john--- via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Sent: Friday, January 05, 2018 5:00 AM To: packetfence-users@lists.sourceforge.net Cc: j...@momentumvr.co.uk Subject: [PacketFence-users] Assistance with AD dot1x Good afternoon everyone, We are currently working with PF7.3 on Centos 7 and no matter what we do we cannot get AD to complete configuration, it simply returns “Null” so obviously fails. When we use realmd it works fine. My question initially is, does this affect dot1x authentication via AD if we complete this only using realmd and not the configuration panel AD connection method? As always your help is greatly appreciated. John -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Assistance with AD dot1x
Good afternoon everyone, We are currently working with PF7.3 on Centos 7 and no matter what we do we cannot get AD to complete configuration, it simply returns “Null” so obviously fails. When we use realmd it works fine. My question initially is, does this affect dot1x authentication via AD if we complete this only using realmd and not the configuration panel AD connection method? As always your help is greatly appreciated. John -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users