packetfence.log:
According to packetfence.log it doesn't look like it's keeping the "host/"
portion of the service principal name.
Nov 19 23:38:42 pfence packetfence_httpd.aaa: httpd.aaa(6630) INFO: [mac:
bc:85:56:61:d4:0b] handling radius autz request: from switch_ip =>
(x.x.x.3), connection_type => Wireless-802.11-EAP,switch_mac => (
3a:5b:0e:2e:be:90), mac => [bc:85:56:61:d4:0b], port => external, username
=> "DESKTOP-6U152VD.mydomain.local", ssid => corp-wlan
(pf::radius::authorize)
On Sun, Nov 19, 2017 at 8:34 PM, Jason Sloan <jason.a.sl...@gmail.com>
wrote:
> First time setup - having some trouble with 802.1x EAP-TLS and AD
> Authentication.
> Audit Information Returning VLAN 91 (Unregistered VLAN)
> Corporate-Machine (or Corporate-User) should return VLAN 10.
>
> Am I not supposed to chain 802.1x together with PF Authentication?
>
> It's quite possible I'm not doing this right, but I setup an Auth rule and
> assigned the appropriate roles and vlans to those roles...
>
> Here's some additional info...somewhat sanitized.
>
>
> RADIUS Request User-Name = "host/DESKTOP-6U152VD.mydomain.local"
> NAS-IP-Address = x.x.x.3
> NAS-Port = 1
> Framed-IP-Address = 169.254.131.196
> Framed-MTU = 1400
> State = 0x55d311af5ecd1c12b3dbfec11ed99383
> Called-Station-Id = "3a:5b:0e:2e:be:90:corp-wlan"
> Calling-Station-Id = "bc:85:56:61:d4:0b"
> NAS-Identifier = "x.x.x.21/5246-corp-wlan"
> NAS-Port-Type = Wireless-802.11
> Acct-Session-Id = "5A010398-00026452"
> Event-Timestamp = "Nov 19 2017 20:00:03 EST"
> Connect-Info = "CONNECT 0Mbps 11N_5G"
> EAP-Message = 0x021e00060d00
> Message-Authenticator = 0xb2c94b69d3ea063856c1ed222f2d2865
> EAP-Type = TLS
> Stripped-User-Name = "host/DESKTOP-6U152VD.mydomain.local"
> Realm = "null"
> FreeRADIUS-Client-IP-Address = x.x.x.3
> Called-Station-SSID = "corp-wlan"
> Tmp-String-1 = "bc855661d40b"
> TLS-Cert-Serial = "4400000003c77f32429e20e6ed000000000003"
> TLS-Cert-Expiration = "270306042911Z"
> TLS-Cert-Issuer = "/C=US/O=mydomain/OU=PKI/CN=mydomain Corporate Root CA
> G1"
> TLS-Cert-Subject = "/DC=local/DC=mydomain/CN=mydomain Corporate
> Autoenrollment CA G1 S01"
> TLS-Cert-Common-Name = "mydomain Corporate Autoenrollment CA G1 S01"
> TLS-Client-Cert-Serial = "6a0000158bac2d3df1436f4baf00010000158b"
> TLS-Client-Cert-Expiration = "191116204434Z"
> TLS-Client-Cert-Issuer = "/DC=local/DC=mydomain/CN=mydomain Corporate
> Autoenrollment CA G1 S01"
> TLS-Client-Cert-Subject = "/CN=DESKTOP-6U152VD.mydomain.local"
> TLS-Client-Cert-Common-Name = "DESKTOP-6U152VD.mydomain.local"
> TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication
> TLS Web Client Authentication"
> TLS-Client-Cert-X509v3-Subject-Key-Identifier =
> "04:44:15:39:14:EE:0E:A9:69:59:37:16:CD:DA:94:14:3A:68:87:26"
> TLS-Client-Cert-X509v3-Authority-Key-Identifier =
> "keyid:A6:E1:0D:92:EE:22:E3:27:58:02:E7:56:33:BE:44:53:9A:CD:A7:8D\n"
> TLS-Client-Cert-Subject-Alt-Name-Dns = "DESKTOP-6U152VD.mydomain.local"
> User-Password = "******"
> SQL-User-Name = "host/DESKTOP-6U152VD.mydomain.local"
>
>
>
> RADIUS Reply MS-MPPE-Recv-Key = 0x5a12d15c537cb9548201bdc6787a
> cc5d171b95fc685c728a730cd65b2b5ff784
> MS-MPPE-Send-Key = 0x57866b78adf7dee2f09cbc263339
> 4fb022e08f2f4bc47b26a60138092e702665
> EAP-MSK = 0x5a12d15c537cb9548201bdc6787acc5d171b95fc685c728a730cd65b2b
> 5ff78457866b78adf7dee2f09cbc2633394fb022e08f2f4bc47b26a60138092e702665
> EAP-EMSK = 0xc4b2f601caf22a037196ae1a52c1d132be343648e032933617ef1106bf
> de65b5b9527a7be716677be6ae654a36e75b9896301388b50be6d2aa945275e34d78f5
> EAP-Session-Id = 0x0d5a1229135ec4c3c0df3ea2b164
> c83df98e81808b00e4f3acbeb20407bfd3581cbd25466430f9e2e15d2b76
> e649b86ccf550701a919848ad832d580be99283a0c
> EAP-Message = 0x031e0004
> Message-Authenticator = 0x00000000000000000000000000000000
> Stripped-User-Name = "host/DESKTOP-6U152VD.mydomain.local"
> Tunnel-Type = VLAN
> Tunnel-Private-Group-Id = "91"
> Tunnel-Medium-Type = IEEE-802
>
>
>
> pftest authentication with the hostname returns the appropriate response
> (Bad password though)
>
> Authenticating against machineAuth
> Authentication FAILED against machineAuth (Invalid login or password)
> Matched against machineAuth for 'authentication' rules
> set_role : corporate-machine
> set_unreg_date : 2038-01-01
> Did not match against machineAuth for 'administration' rules
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
