Hello Mathieu, Did you try to reboot the computer or log off to engage computer authentication ?
I can only see user authentication. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Jan 21, 2022, at 3:37 AM, Mathieu Valois <mval...@teicee.com> wrote: > > Hi, > > here are 2 authentications from 2 different machines: an AD-joined one and > one without. > > <Screenshot%202022-01-21%20at%2009-33-02%20PacketFence.png> > > Le 20/01/2022 à 21:05, Zammit, Ludovic a écrit : >> Show me the audit page for that authentication. >> >> Thanks, >> >> Ludovic Zammit >> Product Support Engineer Principal >> >> >> Cell: +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> >> Connect with Us: <https://community.akamai.com/> >> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByPCAV2bJQ$> >> >> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByN3weV8ZQ$> >> >> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByMA3uw19g$> >> >> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByPCmhKifw$> >> >>> On Jan 20, 2022, at 11:00 AM, Mathieu Valois <mval...@teicee.com >>> <mailto:mval...@teicee.com>> wrote: >>> >>> Ludovic, >>> >>> Even with these settings, authentication succeeds because the user matches >>> the second rule, meaning that if the computer is not in the Active >>> Directory, the user can still do 802.1X successfully. >>> >>> Le 20/01/2022 à 15:18, Zammit, Ludovic a écrit : >>>> Hello Matthieu, >>>> >>>> Make sure that your windows supplicant is configured that way: >>>> >>>> <Configure-the-Protected-EAP-authentication-method-in-the-PEAP-properties-of-Windows-10-802.1x-configuration.png> >>>> >>>> <ImageViewer.png> >>>> >>>> Log off and it should engage the computer authentication. >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> Product Support Engineer Principal >>>> >>>> >>>> Cell: +1.613.670.8432 >>>> Akamai Technologies - Inverse >>>> 145 Broadway >>>> Cambridge, MA 02142 >>>> >>>> Connect with Us: <https://community.akamai.com/> >>>> <http://blogs.akamai.com/> >>>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmnXoIqwg$> >>>> >>>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKm9OA4LXw$> >>>> >>>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKkwJzfXRQ$> >>>> >>>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmMm3_ocA$> >>>> >>>>> On Jan 20, 2022, at 6:17 AM, Mathieu Valois <mval...@teicee.com >>>>> <mailto:mval...@teicee.com>> wrote: >>>>> >>>>> Hello Ludovic, >>>>> >>>>> thank you for your answer. >>>>> >>>>> Currently, it looks like the supplicant does not engage both computer and >>>>> user auth. We're looking on a solution for this. >>>>> >>>>> However, look at what I've set : >>>>> >>>>> <tK0YPWM4oP3I5ABN.png> >>>>> >>>>> with such settings, users can still authenticate even if the machine is >>>>> not in the AD group. Here are the logs : >>>>> >>>>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>>>> httpd.aaa(1204466) WARN: [mac:] [ad_user_auth computerAuth] Searching for >>>>> (&(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic)))(servicePrincipalName=host/*)), >>>>> from DC=mutu,DC=local, with scope sub >>>>> (pf::Authentication::Source::LDAPSource::match_in_subclass) >>>>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>>>> httpd.aaa(1204466) INFO: [mac:] LDAP testing connection >>>>> (pf::LDAP::expire_if) >>>>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>>>> httpd.aaa(1204466) ERROR: [mac:] Error binding: 'Connection reset by >>>>> peer' (pf::LDAP::log_error_msg) >>>>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>>>> httpd.aaa(1204466) WARN: [mac:] LDAP connection expired >>>>> (pf::LDAP::expire_if) >>>>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>>>> httpd.aaa(1204466) WARN: [mac:] [ad_user_auth set_role_agent] Searching >>>>> for (&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic))), from >>>>> DC=mutu,DC=local, with scope sub >>>>> (pf::Authentication::Source::LDAPSource::match_in_subclass) >>>>> Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]: >>>>> httpd.aaa(1204466) INFO: [mac:] Matched rule (set_role_agent) in source >>>>> ad_user_auth, returning actions. (pf::Authentication::Source::match_rule) >>>>> >>>>> As if the first fails the second is still tested. >>>>> >>>>> Le 18/01/2022 à 14:45, Zammit, Ludovic a écrit : >>>>>> Hello Mathieu, >>>>>> >>>>>> The user AD source does a look up on samAccountName and the computer >>>>>> source does a look up with ServicePrincipalName those are two different >>>>>> things. You can match one at the time meaning: >>>>>> >>>>>> Computer login on the domain = Computer authentication >>>>>> >>>>>> User login on the domain = User authentication >>>>>> >>>>>> The 802.1x supplicant needs to be configured to do both authentication. >>>>>> >>>>>> Here what I advise you to do: >>>>>> >>>>>> Create one AD source with principal attribute = samAccountname then add >>>>>> search attribute = ServicePrincipalName. Then create a rule name >>>>>> computerAuth that does a look up on condition servicePrincipalname start >>>>>> with host/, assign a computer role. Create another rule for example to >>>>>> match on your user like memberof equals DISTINGUISHEDNAME-OF-A-GROUP >>>>>> return role Staff. >>>>>> >>>>>> So with one source you could match users and computers. Make sure the >>>>>> device engages Computer Auth AND user authentication when the user logs >>>>>> in. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ludovic Zammit >>>>>> Product Support Engineer Principal >>>>>> >>>>>> >>>>>> Cell: +1.613.670.8432 >>>>>> Akamai Technologies - Inverse >>>>>> 145 Broadway >>>>>> Cambridge, MA 02142 >>>>>> >>>>>> Connect with Us: <https://community.akamai.com/> >>>>>> <http://blogs.akamai.com/> >>>>>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdrlq3EAA$> >>>>>> >>>>>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjcV9W7f0g$> >>>>>> >>>>>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfRhxxCjQ$> >>>>>> >>>>>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdcx14Pdg$> >>>>>> >>>>>>> On Jan 18, 2022, at 4:17 AM, Mathieu Valois via PacketFence-users >>>>>>> <packetfence-users@lists.sourceforge.net >>>>>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I would like to authenticate both machine and user using an AD >>>>>>> authentication source. I've made 2 authentication sources: one for >>>>>>> machine and one for users, following the installation guide. >>>>>>> >>>>>>> In the Standard Connection Profiles I've set the both sources and used >>>>>>> an ALL (AND) operator. However it looks like only the first matching >>>>>>> source is used. >>>>>>> >>>>>>> Is it expected? >>>>>>> >>>>>>> Thank you for your help, >>>>>>> >>>>>>> -- >>>>>>> <MDdkJhLo6CgYFu8x.png> >>>>>>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$> >>>>>>> Mathieu Valois >>>>>>> Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 >>>>>>> Bretteville-sur-Odon >>>>>>> Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré >>>>>>> 02 72 34 13 20 | www.teicee.com >>>>>>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$><zXQgUtk0rgAZZaFb.png> >>>>>>> >>>>>>> <https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VEPyuRvg$> >>>>>>> <hURYnnFL0yTTPX0a.png> >>>>>>> <https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VNwFeith$><0PehPQD0bSJrXsPX.png> >>>>>>> >>>>>>> <https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VIq-SVFI$> >>>>>>> <l5R9ar0Nx6hgxZtC.png> >>>>>>> <https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VBaz58ef$> >>>>>>> <FXBh0PLSKkZ8pPLJ.png> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VCvC0oea$ >>>>>>> >>>>>>> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VCvC0oea$> >>>>>>> >>>>>> >>>>> -- >>>>> <eYLfl8URDEBIGOtk.png> >>>>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$> >>>>> Mathieu Valois >>>>> Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 >>>>> Bretteville-sur-Odon >>>>> Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré >>>>> 02 72 34 13 20 | www.teicee.com >>>>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$><xjVDBF7E93SPIJEz.png> >>>>> >>>>> <https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeRLpCAvw$> >>>>> <LIJvLZvDoCgKftBs.png> >>>>> <https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdbYGaXlQ$><ULwTYf9XcQrmdbnG.png> >>>>> >>>>> <https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeAOAr6iw$> >>>>> <KtQ30x2sw8c1lPDa.png> >>>>> <https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfuuiaFNg$> >>>>> <cqj7OEQA0v0hmKHC.png> >>>>> >>>> >>> -- >>> <q8eXqEmws99tZ3oo.png> >>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmGaAs46w$> >>> Mathieu Valois >>> Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 >>> Bretteville-sur-Odon >>> Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré >>> 02 72 34 13 20 | www.teicee.com >>> <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmGaAs46w$><WBsDOnQY6NjtenU1.png> >>> >>> <https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKlrsrCPdw$> >>> <0i3jO0wpc2fwpGZe.png> >>> <https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKk4velZvQ$><dWuKwI4WIXupHlJm.png> >>> >>> <https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKnnrbJ1nA$> >>> <oN2Au7dwZOIF7IDd.png> >>> <https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKk35Ges-Q$> >>> <9pVhMuHPT46iX4R9.png> >>> >> > -- > <emWwxCs0eAfJTkOJ.png> > <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOYWZLezA$> > Mathieu Valois > Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 > Bretteville-sur-Odon > Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré > 02 72 34 13 20 | www.teicee.com > <https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOYWZLezA$><yrTQerOiMnVD29gK.png> > > <https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByPvISHyMQ$> > <Sx4EjEU1zyJsoa00.png> > <https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByNV9W8NGg$><WcVKopdCh8zpK15I.png> > > <https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOBHJARLg$> > <nxIrBVw8RDDijbVz.png> > <https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOI7qL2RQ$> > <4c8l3U7tc1RU3gLN.png> >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users