Hello Ludovic,
thank you for your answer.
Currently, it looks like the supplicant does not engage both computer
and user auth. We're looking on a solution for this.
However, look at what I've set :
with such settings, users can still authenticate even if the machine is
not in the AD group. Here are the logs :
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) WARN: [mac:] [ad_user_auth computerAuth]
Searching for
(&(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic)))(servicePrincipalName=host/*)),
from DC=mutu,DC=local, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) INFO: [mac:] LDAP testing connection
(pf::LDAP::expire_if)
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) ERROR: [mac:] Error binding: 'Connection reset by
peer' (pf::LDAP::log_error_msg)
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) WARN: [mac:] LDAP connection expired
(pf::LDAP::expire_if)
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) WARN: [mac:] [ad_user_auth set_role_agent]
Searching for
(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic))), from
DC=mutu,DC=local, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) INFO: [mac:] Matched rule (set_role_agent) in
source ad_user_auth, returning actions.
(pf::Authentication::Source::match_rule)
As if the first fails the second is still tested.
Le 18/01/2022 à 14:45, Zammit, Ludovic a écrit :
Hello Mathieu,
The user AD source does a look up on samAccountName and the computer
source does a look up with ServicePrincipalName those are two
different things. You can match one at the time meaning:
Computer login on the domain = Computer authentication
User login on the domain = User authentication
The 802.1x supplicant needs to be configured to do both authentication.
Here what I advise you to do:
Create one AD source with principal attribute = samAccountname then
add search attribute = ServicePrincipalName. Then create a rule name
computerAuth that does a look up on condition servicePrincipalname
start with host/, assign a computer role. Create another rule for
example to match on your user like memberof equals
DISTINGUISHEDNAME-OF-A-GROUP return role Staff.
So with one source you could match users and computers. Make sure the
device engages Computer Auth AND user authentication when the user
logs in.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com>
<http://blogs.akamai.com> <https://twitter.com/akamai>
<http://www.facebook.com/AkamaiTechnologies>
<http://www.linkedin.com/company/akamai-technologies>
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>
On Jan 18, 2022, at 4:17 AM, Mathieu Valois via PacketFence-users
<packetfence-users@lists.sourceforge.net> wrote:
Hello,
I would like to authenticate both machine and user using an AD
authentication source. I've made 2 authentication sources: one for
machine and one for users, following the installation guide.
In the Standard Connection Profiles I've set the both sources and
used an ALL (AND) operator. However it looks like only the first
matching source is used.
Is it expected?
Thank you for your help,
--
<MDdkJhLo6CgYFu8x.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$>
<zXQgUtk0rgAZZaFb.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VEPyuRvg$>
<hURYnnFL0yTTPX0a.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VNwFeith$>
<0PehPQD0bSJrXsPX.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VIq-SVFI$>
<l5R9ar0Nx6hgxZtC.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VBaz58ef$>
<FXBh0PLSKkZ8pPLJ.png>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VCvC0oea$
--
téïcée <https://www.teicee.com/?pk_campaign=Email> *Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré
02 72 34 13 20 | www.teicee.com <https://www.teicee.com/?pk_campaign=Email>
téïcée sur facebook <https://www.facebook.com/teicee> téïcée sur twitter
<https://twitter.com/Teicee_fr> téïcée sur linkedin
<https://www.linkedin.com/company/t-c-e> téïcée sur viadeo
<https://fr.viadeo.com/fr/company/teicee> Datadocké
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
