Hi All,
I have successfully deployed PacketFence Zen13.0 and basic 802.1x
authentication is done via AD. My environment is based on static IP i am
not using DHCP.
I want to enable machine authentication as well to block all the machines
that are not a part of Domain
I have created an
Hello Michael,
good to know that it works.
Le 20-07-08 à 15 h 54, Michael Brown a écrit :
Hi Fabrice,
You were right. As soon as I changed the Auth Source for Domain
Computers to MemberOf is CN=Domain Computers,OU=Domain
Groups,DC=eatontown,DC=local it worked the only caveat being that on
Hi Fabrice,
You were right. As soon as I changed the Auth Source for Domain Computers to
MemberOf is CN=Domain Computers,OU=Domain Groups,DC=eatontown,DC=local it
worked the only caveat being that on the client I had to manually add the ssid
and make sure I set to not check the certificate.
Hi Fabrice,
When I do a test from the AD_Domain-Computers Auth Source I get a green check.
Here is the authentication.conf
Thanks for the help.
# Copyright (C) Inverse inc.[local]description=Local Userstype=SQL
[file1]description=Legacy
Le 20-07-06 à 22 h 01, Michael Brown a écrit :
Hi Fabrice,
When I do a test from the AD_Domain-Computers Auth Source I get a
green check.
Ok good.
Here is the authentication.conf
Thanks for the help.
# Copyright (C) Inverse inc.
[local]
description=Local Users
type=SQL
[file1]
Hello Michael,
Le 20-07-06 à 10 h 37, Michael Brown a écrit :
Hey Fabrice,
Removed the Host realm, added the domain.local realm. I set this
realm to not strip on radius. Is that correct?
yes it 's ok
Still getting can't connect to this network on the test device.
Here are the two
Hey Fabrice,
Removed the Host realm, added the domain.local realm. I set this realm to not
strip on radius. Is that correct?
Still getting can't connect to this network on the test device.
Here are the two logs:Radius.log (on the second attempt to join the ssid shown
below I unchecked
And don't forget to restart RADIUS services after your update your
REALMS ;-)
--
Nicolas Quiniou-Briand
n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank
Hello Michael,
Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
Hi Guys,
I am trying to get machine authentication working so that if a machine
is a member of the Active Directory Domain Computers group it will
join wifi without prompting the user for anything.
The
I am just trying to manually connect to the network for now. Was holding off
on the GP because I am still testing.
I have no problem connecting to the wifi network via 802.1x packetfence when
using a domain username/password. I have a separate Authentication Source
defined for users who are
For the machine auth, are you using the machine account (host/machinename)?
I’d still do it via GPO, but only have the GPO enforce to your test machine(s).
Also, make sure that wireless autoconfig is enabled. That’s bitten me before.
Thanks,
Bill
Sent from my iPad
On Jul 5, 2020, at 11:30
Group Policy for 802.1x - under Computer in GPO Editor, security settings,
wireless. You can set up so GPO has the end system connects to the SSID and
authenticates via 802.1x.
Set up your AD server as the authentication source in PF. It’s explained in
the install doc.
Lots of google
A Windows Domain group policy? That does what? Push out wifi network?
I have Windows NPS setup and computers can join wifi successfully based on
their Domain Computers membership. No special settings are needed, you just
click connect from the regular Windows wifi settings and it authenticated
Just checking to see if any ideas on this one. Thanks.
On Tuesday, June 30, 2020, 04:19:42 PM EDT, Michael Brown via
PacketFence-users wrote:
Hi Guys,
I am trying to get machine authentication working so that if a machine is a
member of the Active Directory Domain Computers group it
Hello,
Probably a Group policy is missing for the computer configuration.
Regards
Le mar. 30 juin 2020 à 22:20, Michael Brown via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :
> Hi Guys,
>
> I am trying to get machine authentication working so that if a machine is
> a
Hi Guys,
I am trying to get machine authentication working so that if a machine is a
member of the Active Directory Domain Computers group it will join wifi without
prompting the user for anything.
The access points are all Meraki.
On packetfence I have the following:Connection Profile
Hi Ludovic, thanks for the explanation. I re-check my config and all was
correctly configured.
Today I found the issue, my second domain is longer that principal and the
username for machine authentication exceed the MS limit
(host/MY_PC_WITH_LONG_NAME.mysecond_domain.local). By renaming the
Hello Enrico,
Maybe you could try a vlan filter that check the username as the computer name
and auto-register it and assign a role.
It’s manageable if you have not too many rules for computers authentication.
Thanks,
Ludovic Zammit
> On Aug 5, 2019, at 5:03 PM, Enrico Pasqualotto
>
Hello Enrico,
You have to create a realm with your domainName.local and enable “Strip in
RADIUS authorization” then on your connection profile you will need an AD
source with the “Username Attribute” with sAMAccountName and
servicePrincipalName.
It will allow you authenticate users and
Hi all, I have two domain:
mydomain1.local
mydomain2.local
configured with their REALM (MYDOMAIN1 & MYDOMAIN2) and all user auth are
working well over RADIUS + Active-Directory.
Machine_authentication are working well for domain1.local because I have set
the domain in the REALM NULL &
Hello Jason,
if radius reject it , then it mean that the 802.1x auth failed.
The solution will be to configure the supplicant to only do machine auth.
Regards
Fabrice
Le 2018-08-20 à 08:46, HALL, Jason (CITY HEALTH CARE PARTNERSHIP CIC -
NNF) via PacketFence-users a écrit :
Im trying to
Im trying to setup packetfence to use machine authentication for wired
connections.
My switch has 2 VLANS
Vlan 1 - Clients
Vlan 2 - Guests
If the machine is on my domain I want it to drop it vlan 1
So I have a switch setup on packetfence with the right roles and vlan
assignment and an AD
4:02 AM
To: packetfence-users@lists.sourceforge.net
Cc: holger.patz...@t-systems.com
Subject: Re: [PacketFence-users] Machine authentication not getting role
Hello Darryl,
would you be so kind sharing your final configs with us?
We do plan to use something similar in the future and it would be very
]
Gesendet: Montag, 14. August 2017 23:10
An: Ludovic Zammit
Cc: Sokolowski, Darryl; packetfence-users@lists.sourceforge.net
Betreff: Re: [PacketFence-users] Machine authentication not getting role
Aah, perfect! I don’t know what I was doing wrong. I had been failing
previously, and I removed my
, Darryl <ds...@earthcolor.com>
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Machine authentication not getting role
Hello Darryl,
Sorry I was not that clear, I admit it.
If you want to auto-register domain joined computers without seeing the captive
portal, con
ki, Darryl <ds...@earthcolor.com <mailto:ds...@earthcolor.com>>
> Cc: packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> Subject: Re: [PacketFence-users] Machine authentication not getting role
>
> Hello,
>
> If
gt;
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Machine authentication not getting role
Hello,
If you are doing machine authentication with auto registration, you can not
switch a node role because it will be recomputed on every radius request.
You could use the bypas
Date: 8/14/17 7:47 AM (GMT-05:00)
> To: packetfence-users@lists.sourceforge.net
> Cc: Ludovic Zammit <lzam...@inverse.ca>
> Subject: Re: [PacketFence-users] Machine authentication not getting role
>
> PS: /usr/local/pf/bin/pftest authentication username password
>
>
nverse.ca>
Subject: Re: [PacketFence-users] Machine authentication not getting role
PS: /usr/local/pf/bin/pftest authentication username password
You can put "" if you don't want to display the password in the CLI.
Thanks,
Ludovic Zammit
lzam...@inverse.ca :: +1.514.447.4918 (x1
Hello,
Are you doing user authentication ? If yes, please check the tool
/usr/local/pf/bin/pftest username password you will see if your username bring
any access settings.
If you check in the /usr/local/pf/logs/packetfence.log you should be able to
see all the action taken after the radius
Hi everyone,
Can anyone help me with this please?
I have the machine authentication source looking at active directory, and a
rule to assign role and access duration.
I am able to automatically register the device via machine authentication, but
I can't get the role assigned when it registers.
-users <packetfence-users@lists.sourceforge.net>
Inviato: martedì 11 luglio 2017 11:36
A: packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication
Hello Fabrice,
I will test your suggestion, but how can I obtain the machine password? As far
as
ook>
Da: Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net>
Inviato: martedì 11 luglio 2017 01:55
A: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice
Oggetto: Re: [PacketFence-users] Machine authentication
Hello Luca,
You
Hello Mj,
Le 2017-07-10 à 09:54, mj via PacketFence-users a écrit :
Hi,
I noticed two ERROR lines in your packetfence.log:
Jul 10 15:21:30 pfnac01 packetfence_httpd.aaa: httpd.aaa(23293)
ERROR: [mac:00:9c:02:92:ea:b0] error creating SNMP v1 read connection
to 10.10.10.4: No response from
:* luca comes; packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] Machine authentication
Your issue is with the DM_Machine_Auth_PDC source.
Verify that you are able to bind with this source.
Also you can use pftest.
Le 2017-07-10 à 09:24, luca comes a écrit :
Hi Fabric
Oggetto: Re: [PacketFence-users] Machine authentication
Hi,
I noticed two ERROR lines in your packetfence.log:
> Jul 10 15:21:30 pfnac01 packetfence_httpd.aaa: httpd.aaa(23293) ERROR:
> [mac:00:9c:02:92:ea:b0] error creating SNMP v1 read connection to 10.10.10.4:
> No response from remote
Hi,
I noticed two ERROR lines in your packetfence.log:
Jul 10 15:21:30 pfnac01 packetfence_httpd.aaa: httpd.aaa(23293) ERROR:
[mac:00:9c:02:92:ea:b0] error creating SNMP v1 read connection to 10.10.10.4: No response
from remote host "10.10.10.4" (pf::Switch::connectRead)
and
Jul 10
ì 10 luglio 2017 15:30
A: luca comes; packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] Machine authentication
Your issue is with the DM_Machine_Auth_PDC source.
Verify that you are able to bind with this source.
Also you can use pftest.
Le 2017-07-10 à 09:24, luca comes
---
> *Da:* Fabrice Durand <fdur...@inverse.ca>
> *Inviato:* lunedì 10 luglio 2017 15:06
> *A:* luca comes; packetfence-users@lists.sourceforge.net
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>
>
> The machine
.ms/weboutlook>
Da: Fabrice Durand <fdur...@inverse.ca>
Inviato: lunedì 10 luglio 2017 15:06
A: luca comes; packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] Machine authentication
The machine authentication is ok this time.
> Inviato da Outlook <http://aka.ms/weboutlook>
>
>
>
>
> *Da:* Fabrice Durand <fdur...@inverse.ca>
> *Inviato:* lunedì 10 luglio 2017 14:48
> *A:* luca comes; packetfence-users@lists.sou
ce-users
> <packetfence-users@lists.sourceforge.net>
> *Inviato:* lunedì 10 luglio 2017 14:23
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>
>
> Hello Luca,
>
> add a realm dm.l
o: lunedì 10 luglio 2017 14:23
A: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Oggetto: Re: [PacketFence-users] Machine authentication
Hello Luca,
add a realm dm.loc and assign it to your domain and restart radius.
Regards
Fabrice
Le 2017-07-10 à 05:58, luca comes via PacketFence-u
nce-users@lists.sourceforge.net>
Inviato: lunedì 10 luglio 2017 14:22
A: packetfence-users@lists.sourceforge.net
Cc: mj
Oggetto: Re: [PacketFence-users] Machine authentication
Just to say that I am following this thread with interest, as I
currently have the same issue on my (debian8) install.
GUI says: domain j
> *Da:* luca comes via PacketFence-users
> <packetfence-users@lists.sourceforge.net>
> *Inviato:* lunedì 10 luglio 2017 11:42
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* luca comes
> *Oggetto:* Re: [PacketFence-users] Machine authentication
>
>
> Hi a
10 luglio 2017 11:42
*A:* packetfence-users@lists.sourceforge.net
*Cc:* luca comes
*Oggetto:* Re: [PacketFence-users] Machine authentication
Hi all,
any suggestion? I don't know what check, domain is correctly configured
the test are fine (wbinfo -u etc.). I added my domain to the LOCAL realm
as pe
: luca comes via PacketFence-users <packetfence-users@lists.sourceforge.net>
Inviato: lunedì 10 luglio 2017 11:42
A: packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication
Hi all,
any suggestion? I don't know what check, domain
ook>
Da: luca comes via PacketFence-users <packetfence-users@lists.sourceforge.net>
Inviato: venerdì 7 luglio 2017 17:40
A: packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: Re: [PacketFence-users] Machine authentication
Hi Antoine,
thank you for
forge.net>
Inviato: venerdì 7 luglio 2017 17:20
A: packetfence-users@lists.sourceforge.net
Cc: Antoine Amacher
Oggetto: Re: [PacketFence-users] Machine authentication
Lucas,
Map the domain on which they should authenticate with the REALM LOCAL.
In configuration -> policies and access co
Lucas,
Map the domain on which they should authenticate with the REALM LOCAL.
In configuration -> policies and access control -> realms
Thanks
On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:
Hi all,
I'm trying to do machine authentication vs Windows AD but it doesn't
Hi all,
I'm trying to do machine authentication vs Windows AD but it doesn't work. I've
created the domain and the realm but in the radius debug log I can see that it
is not catching the correct realm:
(20) Fri Jul 7 16:29:45 2017: Debug: Received Access-Request Id 103 from
10.10.10.4:1645
ate the machine name
>> > > (host/FMCART310-15.domain.com
>> > <http://FMCART310-15.domain.com>
>> > > <http://FMCART310-15.domain.com>) and in PacketFence
>> > side we
>> >
d with AD and
> > hostnames being longer than 14/15 characters is that
> they
> > don't authenticate because AD will truncate them.
> > >
> > > https://support.microsoft.com/en-us/kb/909264
>
> >
> https://technet.microsoft.com/en-us/library/cc731383.aspx
> > >
> >
>
https://supportforums.cisco.com/discussion/12299256/ise-admin-server-16-character-hostname
> > >
> > >
ine.
> > >
> > > So the only limit is 64 characteres of the dns name.
> > >
> > > Regards
> > > Fabrice
> > >
> > > Le 2016-02-03 10:16, Tedder, Eric a écri
t; Regards
>> > Fabrice
>> >
>> > Le 2016-02-03 10:16, Tedder, Eric a écrit :
>> > > Fabrice,
>> > >
>> > > I am not certain how you get it to work after 15 characters,
>> >
characters is that they
> > don't authenticate because AD will truncate them.
> > >
> > > https://support.microsoft.com/en-us/kb/909264
> > > https://technet.microsoft.com/en-us/library/cc731383.aspx
> > >
> >
> h
co.com/discussion/12299256/ise-admin-server-16-character-hostname
> >
> >
> >
> > -Original Message-----
> > From: Fabrice DURAND [mailto:fdur...@inverse.ca
> <mailto:fdur...@inverse.ca>]
>
Hello Fabrice,
Now i restarted the config from scratch.
0. wipe out existing parameters in vlan_filters.conf
1. Created AD-computer source, according to the Administration Guide.
2. Map this source to 802.1x portal profile.
3. run raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600
4. I
@lists.sourceforge.net
Subject: Re: [PacketFence-users] machine authentication
Hello Fabrice,
Now i restarted the config from scratch.
0. wipe out existing parameters in vlan_filters.conf
1. Created AD-computer source, according to the Administration Guide.
2. Map this source to 802.1x portal profile.
3
@lists.sourceforge.net
Subject: Re: [PacketFence-users] machine authentication
There is no limit of 14 characters, i have machine auth with more than
30 characters and there is no issue.
Also did you checked that the client do machine auth ? (windows supplicant)
Regards
Fabrice
Le 2016-02-03 08:52, Tedder, Eric
ourceforge.net
> *Subject:* Re: [PacketFence-users] machine authentication
>
>
>
> Hello Fabrice,
>
>
>
> Now i restarted the config from scratch.
>
>
>
> 0. wipe out existing parameters in vlan_filters.conf
>
> 1. Created AD-computer source, acco
abrice DURAND [mailto:fdur...@inverse.ca]
> > Sent: Wednesday, February 03, 2016 9:17 AM
> > To: packetfence-users@lists.sourceforge.net
> > Subject: Re: [PacketFence-users] machine authentication
> >
> > There is no limit of 14 characters, i have machine auth with more
ry/cc731383.aspx
> https://supportforums.cisco.com/discussion/12299256/ise-admin-server-16-character-hostname
>
>
>
> -Original Message-
> From: Fabrice DURAND [mailto:fdur...@inverse.ca]
> Sent: Wednesday, February 03, 2016 9:17 AM
> To: packetfence-users@lists.sourceforge.net
> Subj
Hello Reeyon,
Le 2016-02-02 02:12, Reeyon Lim a écrit :
> Hello Everyone,
>
> Sorry for my multiples questions recently.
No problem , the mailling list is for that.
> I have been setting up a 802.1x authentication for the lab, but i need
> to do more secure of 802.1x authentication where I found
Hello Everyone,
Sorry for my multiples questions recently.
I have been setting up a 802.1x authentication for the lab, but i need to
do more secure of 802.1x authentication where I found machine
authentication in the Administration guide.
Tried to follow every steps in the guide, but failed to
Hello Rob,
the first thing we need to see is the radius debug.
Let's do that:
pkill radiusd
radiusd -d /usr/local/pf/raddb -X
Then do your machine auth and paste the result.
Also do you have something in packetfence.log about the user
host/Robs-Laptop.X.local ?
Regards
Fabrice
Le
67 matches
Mail list logo