Hi Fabrice, When I do a test from the AD_Domain-Computers Auth Source I get a green check.
Here is the authentication.conf Thanks for the help. # Copyright (C) Inverse inc.[local]description=Local Userstype=SQL [file1]description=Legacy Sourcepath=/usr/local/pf/conf/admin.conftype=Htpasswdrealms=null [file1 rule admins]description=All adminsclass=administrationmatch=allaction0=set_access_level=ALLstatus=enabled [sms]description=SMS-based registrationsms_carriers=100056,100057,100061,100058,100059,100060,100062,100063,100071,100064,100116,100066,100117,100112,100067,100065,100068,100069,100070,100118,100115,100072,100073,100074,100075,100076,100077,100085,100086,100080,100079,100081,100083,100082,100084,100087,100088,100111,100089,100090,100091,100092,100093,100094,100095,100096,100098,100097,100099,100100,100101,100113,100102,100103,100104,100106,100105,100107,100108,100109,100114,100110,100078,100119,100120,100121,100122,100123,100124,100125,100126,100127,100128type=SMScreate_local_account=no [sms rule catchall]description=class=authenticationmatch=allaction0=set_role=guestaction1=set_access_duration=1Dstatus=enabled [email]description=Email-based registrationemail_activation_timeout=10mtype=Emailallow_localdomain=yescreate_local_account=no [email rule catchall]description=class=authenticationmatch=allaction0=set_role=guestaction1=set_access_duration=1Dstatus=enabled [sponsor]description=Sponsor-based registrationtype=SponsorEmailallow_localdomain=yescreate_local_account=no [sponsor rule catchall]description=class=authenticationmatch=allaction0=set_role=guestaction1=set_access_duration=1Dstatus=enabled [null]description=Null Sourcetype=Nullemail_required=noset_access_durations_action= [null rule catchall]action0=set_role=empty - Nonestatus=enabledmatch=allclass=authenticationaction1=set_access_duration=1Ddescription=catchall [AD-Faculty]cache_match=0read_timeout=10realms=domain.org,nullbasedn=OU=Domain_Users,DC=domain,DC=localmonitor=1password=xxxxxxxxxxshuffle=0searchattributes=set_access_durations_action=scope=subemail_attribute=mailusernameattribute=sAMAccountNameconnection_timeout=1binddn=CN=Admin\, PacketFence,OU=IT Utilty Accounts,OU=Domain_Users,DC=domain,DC=localencryption=nonedescription=Active Directory - Faculty Allport=389host=172.20.10.2write_timeout=5type=AD [AD-Faculty rule Faculty_All]action0=set_role=defaultcondition0=groupMembership,is member of,CN=Faculty - All,OU=Domain Groups,DC=domain,DC=localstatus=enabledmatch=allclass=authenticationaction1=set_access_duration=1h [AD_Domain-Computers]cache_match=0read_timeout=10realms=domain.localbasedn=DC=domain,DC=localmonitor=1password=xxxxxxxxxxshuffle=0searchattributes=set_access_durations_action=scope=subemail_attribute=mailusernameattribute=servicePrincipalNameconnection_timeout=1binddn=CN=Admin\, PacketFence,OU=IT Utilty Accounts,OU=Domain_Users,DC=domain,DC=localencryption=nonedescription=Active Directory - Domain Computersport=389host=172.20.10.2write_timeout=5type=AD [AD_Domain-Computers rule Domain_Computers]action0=set_role=defaultcondition0=groupMembership,is member of,CN=Domain Computers,OU=Domain Groups,DC=domain,DC=localstatus=enabledmatch=allclass=authenticationaction1=set_access_duration=1h [EAPTLS rule Test]action0=set_access_duration=1hcondition0=SSID,equals,WIFI-EPSstatus=enabledmatch=allclass=authenticationaction1=set_role=guest On Monday, July 6, 2020, 09:04:24 PM EDT, Durand fabrice <fdur...@inverse.ca> wrote: Hello Michael, Le 20-07-06 à 10 h 37, Michael Brown a écrit : Hey Fabrice, Removed the Host realm, added the domain.local realm. I set this realm to not strip on radius. Is that correct? yes it 's ok Still getting can't connect to this network on the test device. Here are the two logs: Radius.log (on the second attempt to join the ssid shown below I unchecked verify the server's identity by validating the certificate on the Windows machine) Jul 6 00:33:32 srv-pf-02 auth[29301]: Adding client 172.20.110.141/32 Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS Alert read:fatal:unknown CA Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: TLS_accept: Failed in error Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) Jul 6 00:33:33 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] Rejected user: host/IT-VM-TEST.domain.local Jul 6 00:33:33 srv-pf-02 auth[29301]: (52074) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56) Jul 6 00:34:40 srv-pf-02 auth[29301]: (52087) Rejected in post-auth: [host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56 via TLS tunnel) It mean that it's rejected in packetfence and not in freeradius, so the 802.1x works. Jul 6 00:34:40 srv-pf-02 auth[29301]: (52087) Login incorrect: [host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56 via TLS tunnel) Jul 6 00:34:40 srv-pf-02 auth[29301]: [mac:00:e0:4c:19:dd:56] Rejected user: host/IT-VM-TEST. domain.local Jul 6 00:34:40 srv-pf-02 auth[29301]: (52088) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [host/IT-VM-TEST. domain.local] (from client 172.20.110.141/32 port 1 cli 00:e0:4c:19:dd:56) packetfence.log Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: [mac:00:e0:4c:19:dd:56] Unable to extract audit-session-id for module pf::Switch::Meraki::MR_v2. SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific Attributes (VSA) on the AP if you want them to work. (pf::Switch::getCiscoAvPairAttribute) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] handling radius autz request: from switch_ip => (172.20.110.141), connection_type => Wireless-802.11-EAP,switch_mac => (92:18:98:40:47:69), mac => [00:e0:4c:19:dd:56], port => 1, username => "host/IT-VM-TEST. domain.local", ssid => WIFI-EPS (pf::radius::authorize) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] is doing machine auth with account 'host/IT-VM-TEST. domain.local'. (pf::radius::authorize) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] Instantiate profile EPS-Wifi (pf::Connection::ProfileFactory::_from_profile) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] Found authentication source(s) : 'AD_Domain-Computers' for realm ' domain.local' (pf::config::util::filter_authentication_sources) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] Using sources AD_Domain-Computers for matching (pf::authentication::match2) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: [mac:00:e0:4c:19:dd:56] [AD_Domain-Computers Domain_Computers] Searching for (servicePrincipalName=host/IT-VM-TEST. domain.local), from DC= domain,DC=local, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] LDAP testing connection (pf::LDAP::expire_if) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] Error binding: 'Connection reset by peer' (pf::LDAP::log_error_msg) Error binding, can you check from the source itself when you click on test that it works ? Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: [mac:00:e0:4c:19:dd:56] LDAP connection expired (pf::LDAP::expire_if) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) INFO: [mac:00:e0:4c:19:dd:56] No rules matches or no category defined for the node, set it as unreg. (pf::role::getNodeInfoForAutoReg) There is no rules that matched in the AD_Domain-Computers, can you paste the content of authentication.conf (remove sensible info). Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: [mac:00:e0:4c:19:dd:56] No category computed for autoreg (pf::role::getNodeInfoForAutoReg) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) WARN: [mac:00:e0:4c:19:dd:56] No role specified or found for pid host/IT-VM-TEST. domain.local (MAC 00:e0:4c:19:dd:56); assume maximum number of registered nodes is reached (pf::node::is_max_reg_nodes_reached) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] no role computed by any sources - registration of 00:e0:4c:19:dd:56 to host/IT-VM-TEST. domain.local failed (pf::registration::setup_node_for_registration) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] auto-registration of node failed no role computed by any sources (pf::radius::authorize) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] Database query failed with non retryable error: Cannot add or update a child row: a foreign key constraint fails (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES `person` (`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT INTO `node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`, `computername`, `detect_date`, `device_class`, `device_manufacturer`, `device_score`, `device_type`, `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `machine_account` = ?, `pid` = ?, `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-07-06 00:09:30, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0000-00-00 00:00:00, 0000-00-00 00:00:00, 0000-00-00 00:00:00, 00:e0:4c:19:dd:56, host/IT-VM-TEST. domain.local, NULL, host/IT-VM-TEST. domain.local, 0000-00-00 00:00:00, NULL, unreg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes, host/IT-VM-TEST. domain.local, host/IT-VM-TEST. domain.local, 1} (pf::dal::db_execute) Jul 6 00:34:40 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(1907) ERROR: [mac:00:e0:4c:19:dd:56] Cannot save 00:e0:4c:19:dd:56 error (500) (pf::radius::authorize) Thanks. Mike Regards Fabrice On Sunday, July 5, 2020, 08:22:42 PM EDT, Durand fabrice via PacketFence-users <packetfence-users@lists.sourceforge.net> wrote: Hello Michael, Le 20-06-30 à 00 h 02, Michael Brown via PacketFence-users a écrit : Hi Guys, I am trying to get machine authentication working so that if a machine is a member of the Active Directory Domain Computers group it will join wifi without prompting the user for anything. The access points are all Meraki. On packetfence I have the following: Connection Profile Automatically register devices is turned on Connection Type = Wireless-802.11 EAP Authentication Profile Relam: Host Realm can't be Host, it's suppose to be the fqdn of the domain, like host/x1234.acme.com the realm is acme.com So create the realm acme.com, associate the domain to it and in the authentication source (AD) edit the authentication rule and remove Realm = host Next connect to the ssid and paste the packetfence.log and the radius.log file if it still doesn't work. Regards Fabrice Group Membership > is a member of > CN=Domain Computers,CN=Users,DC=xxxxx,DC=local Role > Default Access Duration > 1hr Username Attribute = servicePrincipalName On a domain device that is a member of Domain Computers, when I choose to join the wireless network it is prompting me for a username and password. Any ideas on how I can get the Domain Computer devices to auto join? Thanks a lot. Mike _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users