Thank you Antoine and Louis for your responses.
I am early enough in the POC to build a new server with 6.5, so I'll see
how I get on with that.
On 6 February 2017 at 18:30, Antoine Amacher <[email protected]> wrote:
> Philip,
>
> If you joined the domain via realm or samba from the CLI, there is a
> configuration issue to handle machine authentication. It is fixed in 6.5,
> running the migrate.pl should fix your issue.
>
> Thanks
>
> On 02/06/2017 12:21 PM, Philip Damian-Grint wrote:
>
> Hi Antoine,
>
> Thank you for responding.
>
> So I have a source for machine authentication which uses
> servicePrincipalName.
> I find the instructions unclear for configuring the realm - I have a
> default realm which references my machine authentication source, but with
> nothing in the Domain field. I am following option 1b in the admin guide so
> I haven't run the migrate.pl task, but rather joined to the domain using
> Samba. Is this not correct?
>
>
>
>
> On 6 February 2017 at 16:40, Antoine Amacher <[email protected]> wrote:
>
>> Hello Philip
>>
>> You are trying to do Machine Authentication, make sure the "Username
>> Attribute" you are looking for in your AD source is
>> servicePrincipalName(machine auth) and not sAMAccountName(user auth).
>>
>> Also make sure your realm are configured.
>> Let us know if that help.
>>
>> Thanks
>>
>> On 02/06/2017 10:22 AM, Philip Damian-Grint wrote:
>>
>> Hello mailing list,
>>
>> Running Packetfence 6.4.0-1 on Centos 7.3.1611
>> Test switch is Cisco 2960 running 15.0(1)SE3
>>
>> I have joined the server to our AD domain
>> net ads testjoin returns "Join is OK"
>> I have enabled winbind, and ntlm_auth successfully authenticates domain
>> users.
>> I have issued a certificate from our AD PKI to the PF server, and also
>> copied the CA cert into a separate eap-tls folder as suggested, then
>> updated eap.conf - radiusd seems to be happy with it.
>>
>> I am trying to get dot1x *wired* machine authentication working for
>> domain-joined machines.
>>
>> When I connect a domain-joined computer to a dot1x port the radiusd log
>> shows:
>> mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'
>>
>> I have seen elsewhere in the mailing lists a few responses by Louis Munro
>> around troubleshooting this with ntlm_auth, and certainly running ntlm_auth
>> with the challenge and response shown in the log is giving me the same
>> error.
>>
>> Not sure to go with this - I think I probably don't understand my options
>> on machine authentication
>> in terms of certificate vs machine account/password, and therefore have
>> an incomplete config.
>>
>> Would anyone be able to nudge me a little further along? I think I would
>> like authentication by certificate for domain-joined machines to work,
>> unless you can recommend otherwise.
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Antoine [email protected] :: www.inverse.ca +1.514.447.4918 x130
>> <%28514%29%20447-4918> :: +1 (866) 353-6153 x130 <%28866%29%20353-6153>
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
>> (www.packetfence.org)
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most engaging
>> tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________ PacketFence-users
>> mailing list [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Antoine [email protected] :: www.inverse.ca +1.514.447.4918 x130
> <(514)%20447-4918> :: +1 (866) 353-6153 x130 <(866)%20353-6153>
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
