Rather than using the source IP, can I not use the EAP type, so say, if EAp-Type=EAP-MD5 then proxy........
Thanks -----Original Message----- From: Fabrice Durand via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Sent: 23 July 2019 16:19 To: packetfence-users@lists.sourceforge.net Cc: Fabrice Durand <fdur...@inverse.ca> Subject: Re: [PacketFence-users] EAP-MD5 & Active Directory? Hello John, so not really complex to configure. First you need to add a new radius authentication source in PacketFence (you NPS server). Next create a new REALM (like MD5) and add the NPS server in the radius auth list. Next you will need to edit the file conf/radiusd/packetfence and in teh authorize section: .... ntdomain if (Packet-Src-IP-Address == '192.168.0.1') { update control { &Proxy-To-Realm := 'MD5' } } .... So if the source ip is 192.168.0.1 then proxy to the realm MD5 which is the NPS server. Regards Fabrice Le 19-07-22 à 11 h 23, John Sayce via PacketFence-users a écrit : > Yes I'm interested in this. Thanks > > My IP phones are Avaya 1608 model. The username is the mac address but the > password is numeric only. > > So is the active directory source just an LDAP connection? (Renamed to help > end users?) I thought it'd be different. > > -----Original Message----- > From: Fabrice Durand via PacketFence-users > [mailto:packetfence-users@lists.sourceforge.net] > Sent: 22 July 2019 14:11 > To: packetfence-users@lists.sourceforge.net > Cc: Fabrice Durand <fdur...@inverse.ca> > Subject: Re: [PacketFence-users] EAP-MD5 & Active Directory? > > Hello John, > > if your phone does eap-md5 with the username and the password equal to the > mac address then it will work as is in PacketFence. > > Also to use AD you need to be able to fetch the clear text password which is > not possible with LDAP. > > To be able to make it work then you will need to proxy the request to the NPS > since it is to fetch the cleat text password. > > It will require a little bit of unlang and realm configuration. > > If you are interested to do that i will be able to explain you how to > configure it. > > Regards > > Fabrice > > > Le 19-07-22 à 08 h 01, John Sayce via PacketFence-users a écrit : >> I've tried changing that setting (and restarting) but it doesn't seem to >> have any effect. I assume that's because it controls how packetfence stores >> user passwords in its local database rather than in active directory. >> >> I appreciate that the password needs to be plain text, however I'm not sure >> how that works with active directory from freeradius. I've configured >> active directory to store the password with reversible encryption so it can >> be decrypted to plain text. This in turn mean EAP-MD5 works when I use NPS >> (which has the same requirements) but maybe that doesn't work with >> freeradius because the mechanism to connect to the database doesn't support >> the way windows is dealing with the password? >> >> The log tends to suggest to me that's it's not even trying actice directory >> with EAP-MD5 despite there being no other authentication sources configured >> "Info: rlm_sql (sql)" >> >> I can't seem to find any documentation about this. >> >> >> -----Original Message----- >> From: Nicolas Quiniou-Briand via PacketFence-users >> [mailto:packetfence-users@lists.sourceforge.net] >> Sent: 22 July 2019 12:30 >> To: packetfence-users@lists.sourceforge.net >> Cc: Nicolas Quiniou-Briand <n...@inverse.ca> >> Subject: Re: [PacketFence-users] EAP-MD5 & Active Directory? >> >> Hello John >> >> On 2019-07-22 11:34 a.m., John Sayce via PacketFence-users wrote: >>> Mon Jul 22 10:13:31 2019 : Auth: (13018) Login incorrect (eap_md5: >>> Cleartext-Password is required for EAP-MD5 authentication): >>> [asd\switch1] (from client 10.8.4.2 port 31 cli 54:80:28:9c:50:50) >> Try to change "Database passwords hashing method" setting to "plain" in >> Configuration -> System configuration -> Main configuration -> Advanced. >> >> As mentioned here [0], EAP-MD5 is only compatible with clear text passwords. >> >> [0] http://deployingradius.com/documents/protocols/compatibility.html >> -- >> Nicolas Quiniou-Briand >> n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca >> Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence >> (https://packetfence.org) and Fingerbank (http://fingerbank.org) >> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- > Fabrice Durand > fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. > :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
