Bill, What’s the realm assign with your connection if you look it up in the Auditing tab in the web admin ?
Is that realm stripping in radius authorization ? Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Apr 30, 2020, at 9:12 AM, Bill Handler <[email protected]> wrote: > > Ludvic, > > Thanks for the quick reply… > > Looking in the log, I think I found the issue in this log entry: > > Apr 30 08:58:19 PFserver packetfence_httpd.aaa: httpd.aaa(2385) INFO: > [mac:XX:XX:XX:XX:XX:XX] Role has already been computed and we don't want to > recompute it. Getting role from node_info (pf::role::getRegisteredRole) > > Here is a screenshot of my 802.1x profile settings, which I think are correct > – but I’m probably wrong lol : > > <image002.jpg> > > > Thanks, > > Bill > > From: Ludovic Zammit <[email protected]> > Sent: Thursday, April 30, 2020 7:52 AM > To: Bill Handler <[email protected]> > Cc: [email protected] > Subject: Re: [PacketFence-users] 802.1x Computer and User Authentication > > Hello Bill, > > It looks like when it’s doing the user authentication the EAP authentication > happens correctly but the Authorization does not work by not matching your > rule in your AD source. > > Could you paste a user authentication from the logs/packetfence.log? Remove > personal infos. My guess is that your real is not strip thus it’s not passing > the correct username to ad source and not matching. > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <http://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > On Apr 29, 2020, at 4:48 PM, Bill Handler via PacketFence-users > <[email protected] > <mailto:[email protected]>> wrote: > > Checking on if this is possible with PacketFence (using v10)… > > For 802.1x authentication, we have set up for Users and Computers to > authenticate. Currently, when a machine accesses the network it is > automatically authenticated and gets the Machine role (we’re working with > Windows 10 and GPO). When a user logs onto that machine, the user is > authenticated, that user becomes the ‘Owner’ of that device – listed in the > nodes section and RADIUS Audit Log Entry, however, the end-system/node keeps > the machine role, and does not get the user’s role. > > Within the connection profile for 802.1x, we have the sources set so that the > source for user auth (AD) is set above the machine auth, so it should get the > role from the user auth source. I’ve verified using pftest and that user is > authenticating against that role. > > We’ve used another NAC solution and when a user logs into the machine under > the same circumstances, the role flips to the user role. > > What I think happens/is supposed to happen is when a user logs into the > machine, the machine logs out/deauthenticates so the user role is applied to > the user. That is not happening with PacketFence. > > Any ideas on how to make this happen? > > Thanks, > > Bill > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
