Hello, I've been experimenting with PacketFence for NAC for a couple weeks now. We're running ZEN, updated to PF 10.2.0 yesterday. Based on endless threads on various forums, it would appear we're not the only outfit looking to use email addresses for authentication. For the life of me, I can't figure out how to configure authentication against Active Directory using UserPrincipalName, mail, or any attribute other than sAMAccountName. I've tried AD and LDAP and what feels like a million combination of settings experiments. I followed the installation instructions to a tee. Authentication using sAMAccountName works fine, drops me in the right VLAN, registers my device, etc. When I try an email address (associated with the same sAMAccountName) with known-to-be-correct password, authentication fails with the following:
Module-Failure-Message = "chrooted_mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'" Module-Failure-Message = "chrooted_mschap: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)" Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect" Occasionally (and I say "occasionally" because it's not consistent behavior), authentication seems to be successful via email address; I'm greeted with a certificate I trust, then a message on the user device (iOS 14.1) saying "Unable to join the network". I then try immediately after with the same credentials and am greeted with only the "Unable to join the network" message. If I try with just sAMAccountName, no problem. At one point, the user created in PF after successful authentication even brought over attributes from AD properly. I deleted the user so I could try authenticating with email address again, but those attributes no longer populate, even using sAMAccountName. That only happened once out of 100+ authentication tests. Is there any firm documentation or an example config that I can reference to set up Active Directory authentication using something other than sAMAccountName that doesn't require manually modifying files? I'd prefer to control the config via built-in GUI features so as not to have to re-create changes if they're wiped out during updates. Thank you, Eric Schubert
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
