Hello Matthieu, Make sure that your windows supplicant is configured that way:
Log off and it should engage the computer authentication. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Jan 20, 2022, at 6:17 AM, Mathieu Valois <mval...@teicee.com> wrote: > > Hello Ludovic, > > thank you for your answer. > > Currently, it looks like the supplicant does not engage both computer and > user auth. We're looking on a solution for this. > > However, look at what I've set : > > <tK0YPWM4oP3I5ABN.png> > > with such settings, users can still authenticate even if the machine is not > in the AD group. Here are the logs : > > Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: > httpd.aaa(1204466) WARN: [mac:] [ad_user_auth computerAuth] Searching for > (&(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic)))(servicePrincipalName=host/*)), > from DC=mutu,DC=local, with scope sub > (pf::Authentication::Source::LDAPSource::match_in_subclass) > Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: > httpd.aaa(1204466) INFO: [mac:] LDAP testing connection (pf::LDAP::expire_if) > Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: > httpd.aaa(1204466) ERROR: [mac:] Error binding: 'Connection reset by peer' > (pf::LDAP::log_error_msg) > Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: > httpd.aaa(1204466) WARN: [mac:] LDAP connection expired (pf::LDAP::expire_if) > Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: > httpd.aaa(1204466) WARN: [mac:] [ad_user_auth set_role_agent] Searching for > (&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic))), from > DC=mutu,DC=local, with scope sub > (pf::Authentication::Source::LDAPSource::match_in_subclass) > Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: > httpd.aaa(1204466) INFO: [mac:] Matched rule (set_role_agent) in source > ad_user_auth, returning actions. (pf::Authentication::Source::match_rule) > > As if the first fails the second is still tested. > > Le 18/01/2022 à 14:45, Zammit, Ludovic a écrit : >> Hello Mathieu, >> >> The user AD source does a look up on samAccountName and the computer source >> does a look up with ServicePrincipalName those are two different things. You >> can match one at the time meaning: >> >> Computer login on the domain = Computer authentication >> >> User login on the domain = User authentication >> >> The 802.1x supplicant needs to be configured to do both authentication. >> >> Here what I advise you to do: >> >> Create one AD source with principal attribute = samAccountname then add >> search attribute = ServicePrincipalName. Then create a rule name >> computerAuth that does a look up on condition servicePrincipalname start >> with host/, assign a computer role. Create another rule for example to match >> on your user like memberof equals DISTINGUISHEDNAME-OF-A-GROUP return role >> Staff. >> >> So with one source you could match users and computers. Make sure the device >> engages Computer Auth AND user authentication when the user logs in. >> >> Thanks, >> >> Ludovic Zammit >> Product Support Engineer Principal >> >> >> Cell: +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> >> Connect with Us: <https://community.akamai.com/> >> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdrlq3EAA$> >> >> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjcV9W7f0g$> >> >> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfRhxxCjQ$> >> >> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdcx14Pdg$> >> >>> On Jan 18, 2022, at 4:17 AM, Mathieu Valois via PacketFence-users >>> <packetfence-users@lists.sourceforge.net >>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>> >>> Hello, >>> >>> I would like to authenticate both machine and user using an AD >>> authentication source. I've made 2 authentication sources: one for machine >>> and one for users, following the installation guide. >>> >>> In the Standard Connection Profiles I've set the both sources and used an >>> ALL (AND) operator. However it looks like only the first matching source is >>> used. >>> >>> Is it expected? >>> >>> Thank you for your help, >>> >>> -- >>> <MDdkJhLo6CgYFu8x.png> >>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$> >>> Mathieu Valois >>> Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 >>> Bretteville-sur-Odon >>> Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré >>> 02 72 34 13 20 | www.teicee.com >>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$><zXQgUtk0rgAZZaFb.png> >>> >>> <https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VEPyuRvg$> >>> <hURYnnFL0yTTPX0a.png> >>> <https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VNwFeith$><0PehPQD0bSJrXsPX.png> >>> >>> <https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VIq-SVFI$> >>> <l5R9ar0Nx6hgxZtC.png> >>> <https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VBaz58ef$> >>> <FXBh0PLSKkZ8pPLJ.png> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> <mailto:PacketFence-users@lists.sourceforge.net> >>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VCvC0oea$ >>> >>> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VCvC0oea$> >>> >> > -- > <eYLfl8URDEBIGOtk.png> > <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$> > Mathieu Valois > Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 > Bretteville-sur-Odon > Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré > 02 72 34 13 20 | www.teicee.com > <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$><xjVDBF7E93SPIJEz.png> > > <https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeRLpCAvw$> > <LIJvLZvDoCgKftBs.png> > <https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdbYGaXlQ$><ULwTYf9XcQrmdbnG.png> > > <https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeAOAr6iw$> > <KtQ30x2sw8c1lPDa.png> > <https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfuuiaFNg$> > <cqj7OEQA0v0hmKHC.png> >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users