Hi Antoine,
I reinstalled with PF 6.5.0-1, joined the server to AD, and machine
authentication now works for a domain-joined PC. The only problem is that
after a successful authentication, PF always places the port into the
registration VLAN. It seems to ignore all sources, realms etc, and only
look at the registration role on the switch itself. Is there something
different I need to do for this release?
On 6 February 2017 at 18:30, Antoine Amacher <[email protected]> wrote:
> Philip,
>
> If you joined the domain via realm or samba from the CLI, there is a
> configuration issue to handle machine authentication. It is fixed in 6.5,
> running the migrate.pl should fix your issue.
>
> Thanks
>
> On 02/06/2017 12:21 PM, Philip Damian-Grint wrote:
>
> Hi Antoine,
>
> Thank you for responding.
>
> So I have a source for machine authentication which uses
> servicePrincipalName.
> I find the instructions unclear for configuring the realm - I have a
> default realm which references my machine authentication source, but with
> nothing in the Domain field. I am following option 1b in the admin guide so
> I haven't run the migrate.pl task, but rather joined to the domain using
> Samba. Is this not correct?
>
>
>
>
> On 6 February 2017 at 16:40, Antoine Amacher <[email protected]> wrote:
>
>> Hello Philip
>>
>> You are trying to do Machine Authentication, make sure the "Username
>> Attribute" you are looking for in your AD source is
>> servicePrincipalName(machine auth) and not sAMAccountName(user auth).
>>
>> Also make sure your realm are configured.
>> Let us know if that help.
>>
>> Thanks
>>
>> On 02/06/2017 10:22 AM, Philip Damian-Grint wrote:
>>
>> Hello mailing list,
>>
>> Running Packetfence 6.4.0-1 on Centos 7.3.1611
>> Test switch is Cisco 2960 running 15.0(1)SE3
>>
>> I have joined the server to our AD domain
>> net ads testjoin returns "Join is OK"
>> I have enabled winbind, and ntlm_auth successfully authenticates domain
>> users.
>> I have issued a certificate from our AD PKI to the PF server, and also
>> copied the CA cert into a separate eap-tls folder as suggested, then
>> updated eap.conf - radiusd seems to be happy with it.
>>
>> I am trying to get dot1x *wired* machine authentication working for
>> domain-joined machines.
>>
>> When I connect a domain-joined computer to a dot1x port the radiusd log
>> shows:
>> mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'
>>
>> I have seen elsewhere in the mailing lists a few responses by Louis Munro
>> around troubleshooting this with ntlm_auth, and certainly running ntlm_auth
>> with the challenge and response shown in the log is giving me the same
>> error.
>>
>> Not sure to go with this - I think I probably don't understand my options
>> on machine authentication
>> in terms of certificate vs machine account/password, and therefore have
>> an incomplete config.
>>
>> Would anyone be able to nudge me a little further along? I think I would
>> like authentication by certificate for domain-joined machines to work,
>> unless you can recommend otherwise.
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Antoine [email protected] :: www.inverse.ca +1.514.447.4918 x130
>> <%28514%29%20447-4918> :: +1 (866) 353-6153 x130 <%28866%29%20353-6153>
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
>> (www.packetfence.org)
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most engaging
>> tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________ PacketFence-users
>> mailing list [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Antoine [email protected] :: www.inverse.ca +1.514.447.4918 x130
> <(514)%20447-4918> :: +1 (866) 353-6153 x130 <(866)%20353-6153>
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
