Hello Jason,
Le 2017-11-21 à 23:40, Jason Sloan a écrit :
> Fabrice,
>
> Totally understand being busy. Thanks for the reply. I was actually
> able to get this working a few hours ago, and hadn't had time to post
> a reply. I'm not sure what did it, perhaps adding "strip" to the realm
> options
Fabrice,
Totally understand being busy. Thanks for the reply. I was actually able to
get this working a few hours ago, and hadn't had time to post a reply. I'm
not sure what did it, perhaps adding "strip" to the realm options because
the radius stripped name for hosts is host/ - this likely
Hello Jason,
sorry for the delay to answer, i was a little bit busy these last days.
Can you enable normalize_radius_machine_auth_username in advanced
section and retry ?
Because as you say, the username is stripped and it's probably because
PacketFence use the TLS-Client-Cert-Common-Name
I manually changed the "unregistered" VLAN for the switch, to return the
vlan for "corp-machines" (10 instead of 91) and this worked as expected so
the dynamic vlan assignment configuration and subsequent DHCP are working
as expected. The question remains, how do I get the 802.1x EAP-TLS requests
I may have been too quick to call this good.
The devices are now self registering which I thougth was going to sole all
my problems but the approprite role is still not getting returned. What
appears to be the problem is the realm is coming up null. I've followed the
setup guide and configured
I found this lovely little nugget here:
https://sourceforge.net/p/packetfence/mailman/message/33699954/ which
pointed me in the right direction. Looks like I needed auto-register ticked
on my profile and all was right in the world.
packetfence.log:
According to packetfence.log it doesn't look like it's keeping the "host/"
portion of the service principal name.
Nov 19 23:38:42 pfence packetfence_httpd.aaa: httpd.aaa(6630) INFO: [mac:
bc:85:56:61:d4:0b] handling radius autz request: from switch_ip =>
(x.x.x.3),
First time setup - having some trouble with 802.1x EAP-TLS and AD
Authentication.
Audit Information Returning VLAN 91 (Unregistered VLAN)
Corporate-Machine (or Corporate-User) should return VLAN 10.
Am I not supposed to chain 802.1x together with PF Authentication?
It's quite possible I'm not