Hello Ludovic,
thank you very much, I'll try that :)
Cheers,
Le 20/01/2022 à 15:18, Zammit, Ludovic a écrit :
Hello Matthieu,
Make sure that your windows supplicant is configured that way:
Configure Windows 10 for 802.1X User Authentication - Virtualization Howto
SOLVED] 802.1x RADIUS to auth by computers AND user groups on 2012 NPS
server? - Windows Server
Log off and it should engage the computer authentication.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com>
<http://blogs.akamai.com> <https://twitter.com/akamai>
<http://www.facebook.com/AkamaiTechnologies>
<http://www.linkedin.com/company/akamai-technologies>
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>
On Jan 20, 2022, at 6:17 AM, Mathieu Valois <[email protected]> wrote:
Hello Ludovic,
thank you for your answer.
Currently, it looks like the supplicant does not engage both computer
and user auth. We're looking on a solution for this.
However, look at what I've set :
<tK0YPWM4oP3I5ABN.png>
with such settings, users can still authenticate even if the machine
is not in the AD group. Here are the logs :
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) WARN: [mac:] [ad_user_auth computerAuth]
Searching for
(&(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic)))(servicePrincipalName=host/*)),
from DC=mutu,DC=local, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) INFO: [mac:] LDAP testing connection
(pf::LDAP::expire_if)
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) ERROR: [mac:] Error binding: 'Connection reset
by peer' (pf::LDAP::log_error_msg)
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) WARN: [mac:] LDAP connection expired
(pf::LDAP::expire_if)
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) WARN: [mac:] [ad_user_auth set_role_agent]
Searching for
(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic))),
from DC=mutu,DC=local, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 20 11:13:22 test-nac-fence2 packetfence_httpd.aaa[2123186]:
httpd.aaa(1204466) INFO: [mac:] Matched rule (set_role_agent) in
source ad_user_auth, returning actions.
(pf::Authentication::Source::match_rule)
As if the first fails the second is still tested.
Le 18/01/2022 à 14:45, Zammit, Ludovic a écrit :
Hello Mathieu,
The user AD source does a look up on samAccountName and the computer
source does a look up with ServicePrincipalName those are two
different things. You can match one at the time meaning:
Computer login on the domain = Computer authentication
User login on the domain = User authentication
The 802.1x supplicant needs to be configured to do both authentication.
Here what I advise you to do:
Create one AD source with principal attribute = samAccountname then
add search attribute = ServicePrincipalName. Then create a rule name
computerAuth that does a look up on condition servicePrincipalname
start with host/, assign a computer role. Create another rule for
example to match on your user like memberof equals
DISTINGUISHEDNAME-OF-A-GROUP return role Staff.
So with one source you could match users and computers. Make sure
the device engages Computer Auth AND user authentication when the
user logs in.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>
<http://blogs.akamai.com/>
<https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdrlq3EAA$>
<https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjcV9W7f0g$>
<https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfRhxxCjQ$>
<https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdcx14Pdg$>
On Jan 18, 2022, at 4:17 AM, Mathieu Valois via PacketFence-users
<[email protected]> wrote:
Hello,
I would like to authenticate both machine and user using an AD
authentication source. I've made 2 authentication sources: one for
machine and one for users, following the installation guide.
In the Standard Connection Profiles I've set the both sources and
used an ALL (AND) operator. However it looks like only the first
matching source is used.
Is it expected?
Thank you for your help,
--
<MDdkJhLo6CgYFu8x.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500
Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$>
<zXQgUtk0rgAZZaFb.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VEPyuRvg$>
<hURYnnFL0yTTPX0a.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VNwFeith$>
<0PehPQD0bSJrXsPX.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VIq-SVFI$>
<l5R9ar0Nx6hgxZtC.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VBaz58ef$>
<FXBh0PLSKkZ8pPLJ.png>
_______________________________________________
PacketFence-users mailing list
[email protected]
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VCvC0oea$
--
<eYLfl8URDEBIGOtk.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$>
<xjVDBF7E93SPIJEz.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeRLpCAvw$>
<LIJvLZvDoCgKftBs.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdbYGaXlQ$>
<ULwTYf9XcQrmdbnG.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeAOAr6iw$>
<KtQ30x2sw8c1lPDa.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfuuiaFNg$>
<cqj7OEQA0v0hmKHC.png>
--
téïcée <https://www.teicee.com/?pk_campaign=Email> *Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré
02 72 34 13 20 | www.teicee.com <https://www.teicee.com/?pk_campaign=Email>
téïcée sur facebook <https://www.facebook.com/teicee> téïcée sur twitter
<https://twitter.com/Teicee_fr> téïcée sur linkedin
<https://www.linkedin.com/company/t-c-e> téïcée sur viadeo
<https://fr.viadeo.com/fr/company/teicee> Datadocké
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
