Here is my computer auth rule that is working against AD-LDAP [image: image.png]
On Sat, Jan 18, 2025 at 8:10 AM Corey Keeling (Shared Services IT - Staff) via PacketFence-users <packetfence-users@lists.sourceforge.net> wrote: > From looking at the PacketFence log it is using the AD Authentication > source but isn't finding the device. > > Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) > INFO: [mac:18:5e:0f:cc:39:86] handling radius autz request: from switch_ip > => (<redacted>), connection_type => Wireless-802.11-EAP, switch_mac => > (30:cb:c7:54:8d:12), mac => [18:5e:0f:cc:39:86], port => 0, username => > "COL-ELT-03.pfa.education", ssid => ULCC-Curriculum (pf::radius::authorize) > Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) > WARN: [mac:18:5e:0f:cc:39:86] [AD_MachineAuthentication Curriculum] > Searching for (servicePrincipalName=COL-ELT-03.pfa.education), from > OU=Computers,OU=PFA,DC=pfa,DC=education, with scope sub > (pf::Authentication::Source::LDAPSource::match_in_subclass) > Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) > WARN: [mac:18:5e:0f:cc:39:86] [AD_MachineAuthentication Catch-All] > Searching for (servicePrincipalName=COL-ELT-03.pfa.education), from > OU=Computers,OU=PFA,DC=pfa,DC=education, with scope sub > (pf::Authentication::Source::LDAPSource::match_in_subclass) > Jan 16 08:54:46 <redacted> httpd.aaa-docker-wrapper[3005]: httpd.aaa(7) > WARN: [mac:18:5e:0f:cc:39:86] No role specified or found for pid > COL-ELT-03.pfa.education (MAC 18:5e:0f:cc:39:86); assume maximum number of > registered nodes is reached (pf::node::is_max_reg_nodes_reached) > > > Regards > > *Corey Keeling *| *Senior IT Technician* > > > > > > ------------------------------ > *From:* Corey Keeling (Shared Services IT - Staff) < > corey.keel...@parksidecc.org.uk> > *Sent:* 16 January 2025 08:18 > *To:* packetfence-users@lists.sourceforge.net < > packetfence-users@lists.sourceforge.net> > *Subject:* AD - Machine Authentication > > Dear all, > > I have had PacketFence set up successfully for a year or so now with AD > user authentication and Entra machine authentication, but I can't seem to > get AD machine authentication to work correctly. > > I have a connection profile set up to filter based on Wireless-EAP and > SSID. > > [ULCC-Curriculum] > autoregister=enabled > filter=connection_type:Wireless-802.11-EAP,ssid:ULCC-Curriculum > advanced_filter= > filter_match_style=all > locale= > sources=EntraID-MachineAuthentication,AD_MachineAuthentication > unreg_on_acct_stop=enabled > > I have an authentication profile setup for AD and to filter based on > security group. > > [AD_MachineAuthentication] > set_access_durations_action= > scope=sub > verify=none > encryption=none > password=<redacted> > searchattributes= > basedn=OU=Computers,OU=PFA,DC=pfa,DC=education > realms=pfa.education > shuffle=0 > dead_duration=60 > description=Authenticates against AD Computers. > cache_match=0 > type=AD > host=<redacted> > email_attribute=mail > monitor=1 > use_connector=1 > binddn=<redacted> > connection_timeout=1 > write_timeout=5 > port=389 > usernameattribute=servicePrincipalName > read_timeout=10 > dynamic_routing_module=AuthModule > > [AD_MachineAuthentication rule Curriculum] > status=enabled > condition0=ldap:memberOf,is member of,CN=Domain > Computers,CN=Users,DC=pfa,DC=education > class=authentication > action0=set_access_duration=5D > action1=set_role=ad_machine > match=all > > [AD_MachineAuthentication rule Catch-All] > action0=set_role=REJECT > action1=set_access_duration=1h > match=all > status=enabled > class=authentication > > I have created a realm for pfa.education > I have tried stripped and not stripping the pfa.education but makes no > difference. > > [pfa.education] > eduroam_radius_acct_proxy_type=load-balance > eduroam_radius_auth= > radius_acct_proxy_type=load-balance > eduroam_radius_acct= > domain=pfa > radius_auth_proxy_type=keyed-balance > eduroam_radius_auth_proxy_type=keyed-balance > admin_strip_username=enabled > eduroam_radius_auth_compute_in_pf=enabled > eap=default > permit_custom_attributes=disabled > radius_acct= > radius_auth= > portal_strip_username=enabled > radius_strip_username=enabled > radius_auth_compute_in_pf=enabled > > From what I can see from the audit page, the computer is hitting > Packetfence, it knows it should use the ULCC-Curriculum connection profile > and detects the correct realm but doesn't use the authentication profile > and so gets rejected as it couldn't compute any roles. > > > Can anyone please help me with what I am missing to get this working? > > Regards > > *Corey Keeling *| *Senior IT Technician* > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
