New user to PacketFence. As our company is moving away from AD to Okta for our IdP, I need to replace our Windows NPS for authenticating our Wifi users. I've been posting on reddit in the r/PacketFence there, but I understand this is the better place to get assistance. So I'm going to try here.
Here is what I have so far: I've created the realm for our domain. I have created a RADIUS authentication source and associated it with the created realm. No rules created at this time. I have also created an LDAP authentication source to our Okta LDAP interface and associated that to our realm. The test with the associated Bind DN is successful. I've tried creating a rule using LDAP selecting member is member of dn=Wireless_Users_Group,ou=groups,dc=domain,dc=okta,dc=com with action Role - default and Access Duration - 1 day. Using ldap search as follows: ldapsearch -D "uid=serv...@domain.com,ou=users, dc=domain, dc=okta, dc=com" -W -H ldaps://domain.ldap.okta.com -b dc=domain,dc=okta,dc=com uid=test...@domain.com \* + This will list the various attributes of the user, but does not list the groups the user is a member of. To list groups the user is a member of I can do the following ldap search: ldapsearch -x -H ldaps://domain.ldap.okta.com -D "uid=serv...@domain.com,ou=users,dc=domain,dc=okta,dc=com" -W -b dc=domain,dc=okta,dc=com uid=test...@domain.com memberOf This will show me a long list of groups the user is a member of in the following format: memberOf: cn=miro_users,ou=groups,dc=domain,dc=okta,dc=com This is different from the typical AD approach to getting memberOf. I get the following when doing a radtest: radtest u...@domain.com <password> localhost:18120 12 testing123 Sent Access-Request Id 184 from 0.0.0.0:57241 to 127.0.0.1:18120 length 106 User-Name = "u...@domain.com" User-Password = "<password>" NAS-IP-Address = 127.0.1.1 NAS-Port = 12 Message-Authenticator = 0x00 Cleartext-Password = "<password>" The above is repeated 3 times and then I get: (0) No reply from server for ID 184 socket 3 Obviously Okta is not the usual IdP for RADIUS from what I can see and their LDAP implementation may be a bit different. In my google searches I see that players like SecureW2 using FreeRADIUS on the backend are using SAML connectivity with Okta. I've configured a SAML authentication source in PF, but that is as far as I've got so far. I tried to start PF FreeRADIUS in debug mode, but didn't have any success. In System Configuration | Services I stopped radiusd and radiusd-auth and tried using the following: freeradius -X -d /usr/local/pf/raddb -n auth That fails binding to status address of 127.0.0.1 port 18121: Address already in use. So, not sure how to get debug mode working to see more info on what is happening in RADIUS. At this point I'm pretty lost. Not sure what steps I'm missing in all of this and have tried to follow documentation to set things up, but I'm obviously missing some stuff. The goal is to get users to authenticate against Okta for Wifi access, if they belong to a certain group. Then depending on that group assign them the correct VLAN. We are using Unifi APs with a Unifi Cloud Key and have that currently working in NPS. Just need to move it over to PacketFence. Any assistance you can provide to get me working would be greatly appreciated. Thanks, Brian _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
