Hi Fabrice,
When I do a test from the AD_Domain-Computers Auth Source I get a green check.
Here is the authentication.conf
Thanks for the help.
# Copyright (C) Inverse inc.[local]description=Local Userstype=SQL
[file1]description=Legacy
Sourcepath=/usr/local/pf/conf/admin.conftype=Htpasswdrealms=null
[file1 rule admins]description=All
adminsclass=administrationmatch=allaction0=set_access_level=ALLstatus=enabled
[sms]description=SMS-based
registrationsms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128type=SMScreate_local_account=no
[sms rule
catchall]description=class=authenticationmatch=allaction0=set_role=guestaction1=set_access_duration=1Dstatus=enabled
[email]description=Email-based
registrationemail_activation_timeout=10mtype=Emailallow_localdomain=yescreate_local_account=no
[email rule
catchall]description=class=authenticationmatch=allaction0=set_role=guestaction1=set_access_duration=1Dstatus=enabled
[sponsor]description=Sponsor-based
registrationtype=SponsorEmailallow_localdomain=yescreate_local_account=no
[sponsor rule
catchall]description=class=authenticationmatch=allaction0=set_role=guestaction1=set_access_duration=1Dstatus=enabled
[null]description=Null
Sourcetype=Nullemail_required=noset_access_durations_action=
[null rule catchall]action0=set_role=empty -
Nonestatus=enabledmatch=allclass=authenticationaction1=set_access_duration=1Ddescription=catchall
[AD-Faculty]cache_match=0read_timeout=10realms=domain.org,nullbasedn=OU=Domain_Users,DC=domain,DC=localmonitor=1password=xxxxxxxxxxshuffle=0searchattributes=set_access_durations_action=scope=subemail_attribute=mailusernameattribute=sAMAccountNameconnection_timeout=1binddn=CN=Admin\,
PacketFence,OU=IT Utilty
Accounts,OU=Domain_Users,DC=domain,DC=localencryption=nonedescription=Active
Directory - Faculty Allport=389host=172.20.10.2write_timeout=5type=AD
[AD-Faculty rule
Faculty_All]action0=set_role=defaultcondition0=groupMembership,is member
of,CN=Faculty - All,OU=Domain
Groups,DC=domain,DC=localstatus=enabledmatch=allclass=authenticationaction1=set_access_duration=1h
[AD_Domain-Computers]cache_match=0read_timeout=10realms=domain.localbasedn=DC=domain,DC=localmonitor=1password=xxxxxxxxxxshuffle=0searchattributes=set_access_durations_action=scope=subemail_attribute=mailusernameattribute=servicePrincipalNameconnection_timeout=1binddn=CN=Admin\,
PacketFence,OU=IT Utilty
Accounts,OU=Domain_Users,DC=domain,DC=localencryption=nonedescription=Active
Directory - Domain Computersport=389host=172.20.10.2write_timeout=5type=AD
[AD_Domain-Computers rule
Domain_Computers]action0=set_role=defaultcondition0=groupMembership,is member
of,CN=Domain Computers,OU=Domain
Groups,DC=domain,DC=localstatus=enabledmatch=allclass=authenticationaction1=set_access_duration=1h
[EAPTLS rule
Test]action0=set_access_duration=1hcondition0=SSID,equals,WIFI-EPSstatus=enabledmatch=allclass=authenticationaction1=set_role=guest
On Monday, July 6, 2020, 09:04:24 PM EDT, Durand fabrice
<[email protected]> wrote:
Hello Michael,
Le 20-07-06 à 10 h 37, Michael Brown a écrit :
Hey Fabrice,
Removed the Host realm, added the domain.local realm. I set this realm to
not strip on radius. Is that correct?
yes it 's ok
Still getting can't connect to this network on the test device.
Here are the two logs: Radius.log (on the second attempt to join the ssid
shown below I unchecked verify the server's identity by validating the
certificate on the Windows machine)
Jul 6 00:33:32 srv-pf-02 auth[29301]: Adding client 172.20.110.141/32
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS Alert
read:fatal:unknown CA
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS_accept:
Failed in error
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: Failed in
__FUNCTION__ (SSL_read)
Jul 6 00:33:33 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] Rejected user:
host/IT-VM-TEST.domain.local
Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) Login incorrect (eap_peap: TLS
Alert read:fatal:unknown CA): [host/IT-VM-TEST. domain.local] (from client
172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56) Jul 6 00:34:40 srv-pf-02
auth[29301]: (52087) Rejected in post-auth: [host/IT-VM-TEST. domain.local]
(from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56 via TLS tunnel)
It mean that it's rejected in packetfence and not in freeradius, so the 802.1x
works.
Jul 6 00:34:40 srv-pf-02 auth[29301]: (52087) Login incorrect:
[host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1 cli
00:e0:4c:19:dd:56 via TLS tunnel) Jul 6 00:34:40 srv-pf-02 auth[29301]:
[mac:00:e0:4c:19:dd:56] Rejected user: host/IT-VM-TEST. domain.local Jul 6
00:34:40 srv-pf-02 auth[29301]: (52088) Login incorrect (eap_peap: The users
session was previously rejected: returning reject (again.)): [host/IT-VM-TEST.
domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56)
packetfence.log
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] Unable to extract audit-session-id for module
pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. Make sure
you enable Vendor Specific Attributes (VSA) on the AP if you want them to work.
(pf::Switch::getCiscoAvPairAttribute)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip =>
(172.20.110.141), connection_type => Wireless-802.11-EAP,switch_mac =>
(92:18:98:40:47:69), mac => [00:e0:4c:19:dd:56], port => 1, username =>
"host/IT-VM-TEST. domain.local", ssid => WIFI-EPS (pf::radius::authorize) Jul
6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] is doing machine auth with account 'host/IT-VM-TEST.
domain.local'. (pf::radius::authorize)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Instantiate profile EPS-Wifi
(pf::Connection::ProfileFactory::_from_profile)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Found authentication source(s) : 'AD_Domain-Computers'
for realm ' domain.local' (pf::config::util::filter_authentication_sources)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] Using sources AD_Domain-Computers for matching
(pf::authentication::match2)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] [AD_Domain-Computers Domain_Computers] Searching for
(servicePrincipalName=host/IT-VM-TEST. domain.local), from DC= domain,DC=local,
with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] LDAP testing connection (pf::LDAP::expire_if)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Error binding: 'Connection reset by peer'
(pf::LDAP::log_error_msg)
Error binding, can you check from the source itself when you click on test
that it works ?
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] LDAP connection expired (pf::LDAP::expire_if)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO:
[mac:00:e0:4c:19:dd:56] No rules matches or no category defined for the node,
set it as unreg. (pf::role::getNodeInfoForAutoReg)
There is no rules that matched in the AD_Domain-Computers, can you paste the
content of authentication.conf (remove sensible info).
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN:
[mac:00:e0:4c:19:dd:56] No role specified or found for pid host/IT-VM-TEST.
domain.local (MAC 00:e0:4c:19:dd:56); assume maximum number of registered nodes
is reached (pf::node::is_max_reg_nodes_reached) Jul 6 00:34:40 srv-pf-02
packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] no role
computed by any sources - registration of 00:e0:4c:19:dd:56 to host/IT-VM-TEST.
domain.local failed (pf::registration::setup_node_for_registration)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] auto-registration of node failed no role computed by
any sources (pf::radius::authorize)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Database query failed with non retryable error: Cannot
add or update a child row: a foreign key constraint fails (`pf`.`node`,
CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES `person`
(`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT
INTO `node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
`category_id`, `computername`, `detect_date`, `device_class`,
`device_manufacturer`, `device_score`, `device_type`, `device_version`,
`dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`,
`last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`,
`unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE
KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `machine_account` = ?, `pid` =
?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0000-00-00 00:00:00,
0000-00-00 00:00:00, 0000-00-00 00:00:00, 00:e0:4c:19:dd:56, host/IT-VM-TEST.
domain.local, NULL, host/IT-VM-TEST. domain.local, 0000-00-00 00:00:00, NULL,
unreg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes, host/IT-VM-TEST.
domain.local, host/IT-VM-TEST. domain.local, 1} (pf::dal::db_execute)
Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR:
[mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500)
(pf::radius::authorize)
Thanks. Mike
Regards
Fabrice
On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via
PacketFence-users <[email protected]> wrote:
Hello Michael,
Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit :
Hi Guys,
I am trying to get machine authentication working so that if a machine is a
member of the Active Directory Domain Computers group it will join wifi without
prompting the user for anything.
The access points are all Meraki.
On packetfence I have the following: Connection Profile Automatically
register devices is turned on Connection Type = Wireless-802.11 EAP
Authentication Profile Relam: Host
Realm can't be Host, it's suppose to be the fqdn of the domain, like
host/x1234.acme.com the realm is acme.com
So create the realm acme.com, associate the domain to it and in the
authentication source (AD) edit the authentication rule and remove Realm = host
Next connect to the ssid and paste the packetfence.log and the radius.log file
if it still doesn't work.
Regards
Fabrice
Group Membership > is a member of > CN=Domain
Computers,CN=Users,DC=xxxxx,DC=local Role > Default Access Duration > 1hr
Username Attribute = servicePrincipalName
On a domain device that is a member of Domain Computers, when I choose to
join the wireless network it is prompting me for a username and password.
Any ideas on how I can get the Domain Computer devices to auto join?
Thanks a lot. Mike
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
