I am not sure that the attribute is set and available in the packetfence
/ authorize section.
I think it's only available in packetfence-tunnel but it's too late to
proxy in this case.
Le 19-07-24 à 04 h 02, John Sayce a écrit :
Rather than using the source IP, can I not use the EAP type, so say, if
EAp-Type=EAP-MD5 then proxy........
Thanks
-----Original Message-----
From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Sent: 23 July 2019 16:19
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] EAP-MD5 & Active Directory?
Hello John,
so not really complex to configure.
First you need to add a new radius authentication source in PacketFence (you
NPS server).
Next create a new REALM (like MD5) and add the NPS server in the radius auth
list.
Next you will need to edit the file conf/radiusd/packetfence and in teh
authorize section:
....
ntdomain
if (Packet-Src-IP-Address == '192.168.0.1') {
update control {
&Proxy-To-Realm := 'MD5'
}
}
....
So if the source ip is 192.168.0.1 then proxy to the realm MD5 which is
the NPS server.
Regards
Fabrice
Le 19-07-22 à 11 h 23, John Sayce via PacketFence-users a écrit :
Yes I'm interested in this. Thanks
My IP phones are Avaya 1608 model. The username is the mac address but the
password is numeric only.
So is the active directory source just an LDAP connection? (Renamed to help
end users?) I thought it'd be different.
-----Original Message-----
From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Sent: 22 July 2019 14:11
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand <fdur...@inverse.ca>
Subject: Re: [PacketFence-users] EAP-MD5 & Active Directory?
Hello John,
if your phone does eap-md5 with the username and the password equal to the mac
address then it will work as is in PacketFence.
Also to use AD you need to be able to fetch the clear text password which is
not possible with LDAP.
To be able to make it work then you will need to proxy the request to the NPS
since it is to fetch the cleat text password.
It will require a little bit of unlang and realm configuration.
If you are interested to do that i will be able to explain you how to configure
it.
Regards
Fabrice
Le 19-07-22 à 08 h 01, John Sayce via PacketFence-users a écrit :
I've tried changing that setting (and restarting) but it doesn't seem to have
any effect. I assume that's because it controls how packetfence stores user
passwords in its local database rather than in active directory.
I appreciate that the password needs to be plain text, however I'm not sure how
that works with active directory from freeradius. I've configured active
directory to store the password with reversible encryption so it can be
decrypted to plain text. This in turn mean EAP-MD5 works when I use NPS (which
has the same requirements) but maybe that doesn't work with freeradius because
the mechanism to connect to the database doesn't support the way windows is
dealing with the password?
The log tends to suggest to me that's it's not even trying actice directory with EAP-MD5
despite there being no other authentication sources configured "Info: rlm_sql
(sql)"
I can't seem to find any documentation about this.
-----Original Message-----
From: Nicolas Quiniou-Briand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Sent: 22 July 2019 12:30
To: packetfence-users@lists.sourceforge.net
Cc: Nicolas Quiniou-Briand <n...@inverse.ca>
Subject: Re: [PacketFence-users] EAP-MD5 & Active Directory?
Hello John
On 2019-07-22 11:34 a.m., John Sayce via PacketFence-users wrote:
Mon Jul 22 10:13:31 2019 : Auth: (13018) Login incorrect (eap_md5:
Cleartext-Password is required for EAP-MD5 authentication):
[asd\switch1] (from client 10.8.4.2 port 31 cli 54:80:28:9c:50:50)
Try to change "Database passwords hashing method" setting to "plain" in Configuration
-> System configuration -> Main configuration -> Advanced.
As mentioned here [0], EAP-MD5 is only compatible with clear text passwords.
[0] http://deployingradius.com/documents/protocols/compatibility.html
--
Nicolas Quiniou-Briand
n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank (http://fingerbank.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc.
:: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
