Thanks, Fabrice. This worked perfectly.
Eric Schubert ________________________________ From: Durand fabrice via PacketFence-users <[email protected]> Sent: Wednesday, November 25, 2020 8:21 PM To: [email protected] <[email protected]> Cc: Durand fabrice <[email protected]> Subject: Re: [PacketFence-users] PF ZEN 10.2.0 - Authenticate with Active Directory using email address Hello Eric, in the Ad authentication source add search attributes (UserPrincipalName) [cid:[email protected]] then in the realm config (the DEFAULT one) enable "Custom attributes" and select your AD source. [cid:[email protected]] Then you need to restart radius. Regards Fabrice Le 20-11-24 à 21 h 29, Eric Schubert via PacketFence-users a écrit : Hello, I've been experimenting with PacketFence for NAC for a couple weeks now. We're running ZEN, updated to PF 10.2.0 yesterday. Based on endless threads on various forums, it would appear we're not the only outfit looking to use email addresses for authentication. For the life of me, I can't figure out how to configure authentication against Active Directory using UserPrincipalName, mail, or any attribute other than sAMAccountName. I've tried AD and LDAP and what feels like a million combination of settings experiments. I followed the installation instructions to a tee. Authentication using sAMAccountName works fine, drops me in the right VLAN, registers my device, etc. When I try an email address (associated with the same sAMAccountName) with known-to-be-correct password, authentication fails with the following: Module-Failure-Message = "chrooted_mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'" Module-Failure-Message = "chrooted_mschap: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)" Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect" Occasionally (and I say "occasionally" because it's not consistent behavior), authentication seems to be successful via email address; I'm greeted with a certificate I trust, then a message on the user device (iOS 14.1) saying "Unable to join the network". I then try immediately after with the same credentials and am greeted with only the "Unable to join the network" message. If I try with just sAMAccountName, no problem. At one point, the user created in PF after successful authentication even brought over attributes from AD properly. I deleted the user so I could try authenticating with email address again, but those attributes no longer populate, even using sAMAccountName. That only happened once out of 100+ authentication tests. Is there any firm documentation or an example config that I can reference to set up Active Directory authentication using something other than sAMAccountName that doesn't require manually modifying files? I'd prefer to control the config via built-in GUI features so as not to have to re-create changes if they're wiped out during updates. Thank you, Eric Schubert _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
