Show me the audit page for that authentication. Thanks,
Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Jan 20, 2022, at 11:00 AM, Mathieu Valois <mval...@teicee.com> wrote: > > Ludovic, > > Even with these settings, authentication succeeds because the user matches > the second rule, meaning that if the computer is not in the Active Directory, > the user can still do 802.1X successfully. > > Le 20/01/2022 à 15:18, Zammit, Ludovic a écrit : >> Hello Matthieu, >> >> Make sure that your windows supplicant is configured that way: >> >> <Configure-the-Protected-EAP-authentication-method-in-the-PEAP-properties-of-Windows-10-802.1x-configuration.png> >> >> <ImageViewer.png> >> >> Log off and it should engage the computer authentication. >> >> Thanks, >> >> Ludovic Zammit >> Product Support Engineer Principal >> >> >> Cell: +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> >> Connect with Us: <https://community.akamai.com/> >> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmnXoIqwg$> >> >> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKm9OA4LXw$> >> >> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKkwJzfXRQ$> >> >> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmMm3_ocA$> >> >>> On Jan 20, 2022, at 6:17 AM, Mathieu Valois <mval...@teicee.com >>> <mailto:mval...@teicee.com>> wrote: >>> >>> Hello Ludovic, >>> >>> thank you for your answer. >>> >>> Currently, it looks like the supplicant does not engage both computer and >>> user auth. We're looking on a solution for this. >>> >>> However, look at what I've set : >>> >>> <tK0YPWM4oP3I5ABN.png> >>> >>> with such settings, users can still authenticate even if the machine is not >>> in the AD group. Here are the logs : >>> >>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>> httpd.aaa(1204466) WARN: [mac:] [ad_user_auth computerAuth] Searching for >>> (&(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic)))(servicePrincipalName=host/*)), >>> from DC=mutu,DC=local, with scope sub >>> (pf::Authentication::Source::LDAPSource::match_in_subclass) >>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>> httpd.aaa(1204466) INFO: [mac:] LDAP testing connection >>> (pf::LDAP::expire_if) >>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>> httpd.aaa(1204466) ERROR: [mac:] Error binding: 'Connection reset by peer' >>> (pf::LDAP::log_error_msg) >>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>> httpd.aaa(1204466) WARN: [mac:] LDAP connection expired >>> (pf::LDAP::expire_if) >>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>> httpd.aaa(1204466) WARN: [mac:] [ad_user_auth set_role_agent] Searching for >>> (&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic))), from >>> DC=mutu,DC=local, with scope sub >>> (pf::Authentication::Source::LDAPSource::match_in_subclass) >>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>> httpd.aaa(1204466) INFO: [mac:] Matched rule (set_role_agent) in source >>> ad_user_auth, returning actions. (pf::Authentication::Source::match_rule) >>> >>> As if the first fails the second is still tested. >>> >>> Le 18/01/2022 à 14:45, Zammit, Ludovic a écrit : >>>> Hello Mathieu, >>>> >>>> The user AD source does a look up on samAccountName and the computer >>>> source does a look up with ServicePrincipalName those are two different >>>> things. You can match one at the time meaning: >>>> >>>> Computer login on the domain = Computer authentication >>>> >>>> User login on the domain = User authentication >>>> >>>> The 802.1x supplicant needs to be configured to do both authentication. >>>> >>>> Here what I advise you to do: >>>> >>>> Create one AD source with principal attribute = samAccountname then add >>>> search attribute = ServicePrincipalName. Then create a rule name >>>> computerAuth that does a look up on condition servicePrincipalname start >>>> with host/, assign a computer role. Create another rule for example to >>>> match on your user like memberof equals DISTINGUISHEDNAME-OF-A-GROUP >>>> return role Staff. >>>> >>>> So with one source you could match users and computers. Make sure the >>>> device engages Computer Auth AND user authentication when the user logs in. >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> Product Support Engineer Principal >>>> >>>> >>>> Cell: +1.613.670.8432 >>>> Akamai Technologies - Inverse >>>> 145 Broadway >>>> Cambridge, MA 02142 >>>> >>>> Connect with Us: <https://community.akamai.com/> >>>> <http://blogs.akamai.com/> >>>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdrlq3EAA$> >>>> >>>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjcV9W7f0g$> >>>> >>>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfRhxxCjQ$> >>>> >>>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdcx14Pdg$> >>>> >>>>> On Jan 18, 2022, at 4:17 AM, Mathieu Valois via PacketFence-users >>>>> <packetfence-users@lists.sourceforge.net >>>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>>>> >>>>> Hello, >>>>> >>>>> I would like to authenticate both machine and user using an AD >>>>> authentication source. I've made 2 authentication sources: one for >>>>> machine and one for users, following the installation guide. >>>>> >>>>> In the Standard Connection Profiles I've set the both sources and used an >>>>> ALL (AND) operator. However it looks like only the first matching source >>>>> is used. >>>>> >>>>> Is it expected? >>>>> >>>>> Thank you for your help, >>>>> >>>>> -- >>>>> <MDdkJhLo6CgYFu8x.png> >>>>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$> >>>>> Mathieu Valois >>>>> Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 >>>>> Bretteville-sur-Odon >>>>> Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré >>>>> 02 72 34 13 20 | www.teicee.com >>>>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$><zXQgUtk0rgAZZaFb.png> >>>>> >>>>> <https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VEPyuRvg$> >>>>> <hURYnnFL0yTTPX0a.png> >>>>> <https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VNwFeith$><0PehPQD0bSJrXsPX.png> >>>>> >>>>> <https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VIq-SVFI$> >>>>> <l5R9ar0Nx6hgxZtC.png> >>>>> <https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VBaz58ef$> >>>>> <FXBh0PLSKkZ8pPLJ.png> >>>>> >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> PacketFence-users@lists.sourceforge.net >>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VCvC0oea$ >>>>> >>>>> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VCvC0oea$> >>>>> >>>> >>> -- >>> <eYLfl8URDEBIGOtk.png> >>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$> >>> Mathieu Valois >>> Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 >>> Bretteville-sur-Odon >>> Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré >>> 02 72 34 13 20 | www.teicee.com >>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$><xjVDBF7E93SPIJEz.png> >>> >>> <https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeRLpCAvw$> >>> <LIJvLZvDoCgKftBs.png> >>> <https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdbYGaXlQ$><ULwTYf9XcQrmdbnG.png> >>> >>> <https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeAOAr6iw$> >>> <KtQ30x2sw8c1lPDa.png> >>> <https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfuuiaFNg$> >>> <cqj7OEQA0v0hmKHC.png> >>> >> > -- > <q8eXqEmws99tZ3oo.png> > <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmGaAs46w$> > Mathieu Valois > Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 > Bretteville-sur-Odon > Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré > 02 72 34 13 20 | www.teicee.com > <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmGaAs46w$><WBsDOnQY6NjtenU1.png> > > <https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKlrsrCPdw$> > <0i3jO0wpc2fwpGZe.png> > <https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKk4velZvQ$><dWuKwI4WIXupHlJm.png> > > <https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKnnrbJ1nA$> > <oN2Au7dwZOIF7IDd.png> > <https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKk35Ges-Q$> > <9pVhMuHPT46iX4R9.png> >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users