Hello Ludovic,
yes we did reboot the machine. However, even if the computer does not
engage machine authentication, why PacketFence authorizes it?
To be clear, we need both authentication, meaning the computer has to be
in the AD and the user should be authenticated also.
It looks like PacketFence is doing one or the other authentication, not
both at the same time.
Le 21/01/2022 à 14:54, Zammit, Ludovic a écrit :
Hello Mathieu,
Did you try to reboot the computer or log off to engage computer
authentication ?
I can only see user authentication.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com>
<http://blogs.akamai.com> <https://twitter.com/akamai>
<http://www.facebook.com/AkamaiTechnologies>
<http://www.linkedin.com/company/akamai-technologies>
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>
On Jan 21, 2022, at 3:37 AM, Mathieu Valois <mval...@teicee.com> wrote:
Hi,
here are 2 authentications from 2 different machines: an AD-joined
one and one without.
<Screenshot%202022-01-21%20at%2009-33-02%20PacketFence.png>
Le 20/01/2022 à 21:05, Zammit, Ludovic a écrit :
Show me the audit page for that authentication.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>
<http://blogs.akamai.com/>
<https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByPCAV2bJQ$>
<https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByN3weV8ZQ$>
<https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByMA3uw19g$>
<https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByPCmhKifw$>
On Jan 20, 2022, at 11:00 AM, Mathieu Valois <mval...@teicee.com>
wrote:
Ludovic,
Even with these settings, authentication succeeds because the user
matches the second rule, meaning that if the computer is not in the
Active Directory, the user can still do 802.1X successfully.
Le 20/01/2022 à 15:18, Zammit, Ludovic a écrit :
Hello Matthieu,
Make sure that your windows supplicant is configured that way:
<Configure-the-Protected-EAP-authentication-method-in-the-PEAP-properties-of-Windows-10-802.1x-configuration.png>
<ImageViewer.png>
Log off and it should engage the computer authentication.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>
<http://blogs.akamai.com/>
<https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmnXoIqwg$>
<https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKm9OA4LXw$>
<https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKkwJzfXRQ$>
<https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmMm3_ocA$>
On Jan 20, 2022, at 6:17 AM, Mathieu Valois <mval...@teicee.com>
wrote:
Hello Ludovic,
thank you for your answer.
Currently, it looks like the supplicant does not engage both
computer and user auth. We're looking on a solution for this.
However, look at what I've set :
<tK0YPWM4oP3I5ABN.png>
with such settings, users can still authenticate even if the
machine is not in the AD group. Here are the logs :
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) WARN:
[mac:] [ad_user_auth computerAuth] Searching for
(&(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic)))(servicePrincipalName=host/*)),
from DC=mutu,DC=local, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) INFO:
[mac:] LDAP testing connection (pf::LDAP::expire_if)
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) ERROR:
[mac:] Error binding: 'Connection reset by peer'
(pf::LDAP::log_error_msg)
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) WARN:
[mac:] LDAP connection expired (pf::LDAP::expire_if)
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) WARN:
[mac:] [ad_user_auth set_role_agent] Searching for
(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic))),
from DC=mutu,DC=local, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) INFO:
[mac:] Matched rule (set_role_agent) in source ad_user_auth,
returning actions. (pf::Authentication::Source::match_rule)
As if the first fails the second is still tested.
Le 18/01/2022 à 14:45, Zammit, Ludovic a écrit :
Hello Mathieu,
The user AD source does a look up on samAccountName and the
computer source does a look up with ServicePrincipalName those
are two different things. You can match one at the time meaning:
Computer login on the domain = Computer authentication
User login on the domain = User authentication
The 802.1x supplicant needs to be configured to do both
authentication.
Here what I advise you to do:
Create one AD source with principal attribute = samAccountname
then add search attribute = ServicePrincipalName. Then create a
rule name computerAuth that does a look up on condition
servicePrincipalname start with host/, assign a computer role.
Create another rule for example to match on your user like
memberof equals DISTINGUISHEDNAME-OF-A-GROUP return role Staff.
So with one source you could match users and computers. Make
sure the device engages Computer Auth AND user authentication
when the user logs in.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>
<http://blogs.akamai.com/>
<https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdrlq3EAA$>
<https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjcV9W7f0g$>
<https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfRhxxCjQ$>
<https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdcx14Pdg$>
On Jan 18, 2022, at 4:17 AM, Mathieu Valois via
PacketFence-users <packetfence-users@lists.sourceforge.net> wrote:
Hello,
I would like to authenticate both machine and user using an AD
authentication source. I've made 2 authentication sources: one
for machine and one for users, following the installation guide.
In the Standard Connection Profiles I've set the both sources
and used an ALL (AND) operator. However it looks like only the
first matching source is used.
Is it expected?
Thank you for your help,
--
<MDdkJhLo6CgYFu8x.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain -
35500 Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$>
<zXQgUtk0rgAZZaFb.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VEPyuRvg$>
<hURYnnFL0yTTPX0a.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VNwFeith$>
<0PehPQD0bSJrXsPX.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VIq-SVFI$>
<l5R9ar0Nx6hgxZtC.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VBaz58ef$>
<FXBh0PLSKkZ8pPLJ.png>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VCvC0oea$
--
<eYLfl8URDEBIGOtk.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain -
35500 Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$>
<xjVDBF7E93SPIJEz.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeRLpCAvw$>
<LIJvLZvDoCgKftBs.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdbYGaXlQ$>
<ULwTYf9XcQrmdbnG.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeAOAr6iw$>
<KtQ30x2sw8c1lPDa.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfuuiaFNg$>
<cqj7OEQA0v0hmKHC.png>
--
<q8eXqEmws99tZ3oo.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmGaAs46w$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500
Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmGaAs46w$>
<WBsDOnQY6NjtenU1.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKlrsrCPdw$>
<0i3jO0wpc2fwpGZe.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKk4velZvQ$>
<dWuKwI4WIXupHlJm.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKnnrbJ1nA$>
<oN2Au7dwZOIF7IDd.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKk35Ges-Q$>
<9pVhMuHPT46iX4R9.png>
--
<emWwxCs0eAfJTkOJ.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOYWZLezA$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOYWZLezA$>
<yrTQerOiMnVD29gK.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByPvISHyMQ$>
<Sx4EjEU1zyJsoa00.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByNV9W8NGg$>
<WcVKopdCh8zpK15I.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOBHJARLg$>
<nxIrBVw8RDDijbVz.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOI7qL2RQ$>
<4c8l3U7tc1RU3gLN.png>
--
téïcée <https://www.teicee.com/?pk_campaign=Email> *Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré
02 72 34 13 20 | www.teicee.com <https://www.teicee.com/?pk_campaign=Email>
téïcée sur facebook <https://www.facebook.com/teicee> téïcée sur twitter
<https://twitter.com/Teicee_fr> téïcée sur linkedin
<https://www.linkedin.com/company/t-c-e> téïcée sur viadeo
<https://fr.viadeo.com/fr/company/teicee> Datadocké
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users