Hello Ludovic,
thank you for this answer. It is way clearer now.
I found some NAC doing computer authentication but it looks like the are
only doing hostname checking against AD.
Is that possible with the Webui of PacketFence?
Thank you,
Le 21/01/2022 à 15:39, Zammit, Ludovic a écrit :
Hello Mathieu,
You can’t do it both at the same time, it’s either the machine
authenticating on the boot on the network and when no one is logged in
or user authentication when a user authenticate.
It’s one of the other.
Thanks,
PS: You can take support hours if you want us to help out to configure
your setup, it might be easier.
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com>
<http://blogs.akamai.com> <https://twitter.com/akamai>
<http://www.facebook.com/AkamaiTechnologies>
<http://www.linkedin.com/company/akamai-technologies>
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>
On Jan 21, 2022, at 9:22 AM, Mathieu Valois <[email protected]> wrote:
Hello Ludovic,
yes we did reboot the machine. However, even if the computer does not
engage machine authentication, why PacketFence authorizes it?
To be clear, we need both authentication, meaning the computer has to
be in the AD and the user should be authenticated also.
It looks like PacketFence is doing one or the other authentication,
not both at the same time.
Le 21/01/2022 à 14:54, Zammit, Ludovic a écrit :
Hello Mathieu,
Did you try to reboot the computer or log off to engage computer
authentication ?
I can only see user authentication.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>
<http://blogs.akamai.com/>
<https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!HnxlYRBeqiKw5WUZOeAvdg6d2YeVDynDZqGMAOp_NLRb_MavwfJfd1IXo-gjZA$>
<https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!HnxlYRBeqiKw5WUZOeAvdg6d2YeVDynDZqGMAOp_NLRb_MavwfJfd1IIcd9E1Q$>
<https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!HnxlYRBeqiKw5WUZOeAvdg6d2YeVDynDZqGMAOp_NLRb_MavwfJfd1Ij0ufn6A$>
<https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!HnxlYRBeqiKw5WUZOeAvdg6d2YeVDynDZqGMAOp_NLRb_MavwfJfd1KRD5L-mA$>
On Jan 21, 2022, at 3:37 AM, Mathieu Valois <[email protected]> wrote:
Hi,
here are 2 authentications from 2 different machines: an AD-joined
one and one without.
<Screenshot%202022-01-21%20at%2009-33-02%20PacketFence.png>
Le 20/01/2022 à 21:05, Zammit, Ludovic a écrit :
Show me the audit page for that authentication.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>
<http://blogs.akamai.com/>
<https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByPCAV2bJQ$>
<https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByN3weV8ZQ$>
<https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByMA3uw19g$>
<https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByPCmhKifw$>
On Jan 20, 2022, at 11:00 AM, Mathieu Valois <[email protected]>
wrote:
Ludovic,
Even with these settings, authentication succeeds because the
user matches the second rule, meaning that if the computer is not
in the Active Directory, the user can still do 802.1X successfully.
Le 20/01/2022 à 15:18, Zammit, Ludovic a écrit :
Hello Matthieu,
Make sure that your windows supplicant is configured that way:
<Configure-the-Protected-EAP-authentication-method-in-the-PEAP-properties-of-Windows-10-802.1x-configuration.png>
<ImageViewer.png>
Log off and it should engage the computer authentication.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>
<http://blogs.akamai.com/>
<https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmnXoIqwg$>
<https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKm9OA4LXw$>
<https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKkwJzfXRQ$>
<https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmMm3_ocA$>
On Jan 20, 2022, at 6:17 AM, Mathieu Valois
<[email protected]> wrote:
Hello Ludovic,
thank you for your answer.
Currently, it looks like the supplicant does not engage both
computer and user auth. We're looking on a solution for this.
However, look at what I've set :
<tK0YPWM4oP3I5ABN.png>
with such settings, users can still authenticate even if the
machine is not in the AD group. Here are the logs :
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) WARN:
[mac:] [ad_user_auth computerAuth] Searching for
(&(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic)))(servicePrincipalName=host/*)),
from DC=mutu,DC=local, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) INFO:
[mac:] LDAP testing connection (pf::LDAP::expire_if)
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) ERROR:
[mac:] Error binding: 'Connection reset by peer'
(pf::LDAP::log_error_msg)
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) WARN:
[mac:] LDAP connection expired (pf::LDAP::expire_if)
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) WARN:
[mac:] [ad_user_auth set_role_agent] Searching for
(&(|(sAMAccountName=a.cedic)(servicePrincipalName=a.cedic))),
from DC=mutu,DC=local, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Jan 20 11:13:22 test-nac-fence2
packetfence_httpd.aaa[2123186]: httpd.aaa(1204466) INFO:
[mac:] Matched rule (set_role_agent) in source
ad_user_auth, returning actions.
(pf::Authentication::Source::match_rule)
As if the first fails the second is still tested.
Le 18/01/2022 à 14:45, Zammit, Ludovic a écrit :
Hello Mathieu,
The user AD source does a look up on samAccountName and the
computer source does a look up with ServicePrincipalName those
are two different things. You can match one at the time meaning:
Computer login on the domain = Computer authentication
User login on the domain = User authentication
The 802.1x supplicant needs to be configured to do both
authentication.
Here what I advise you to do:
Create one AD source with principal attribute = samAccountname
then add search attribute = ServicePrincipalName. Then create
a rule name computerAuth that does a look up on condition
servicePrincipalname start with host/, assign a computer role.
Create another rule for example to match on your user like
memberof equals DISTINGUISHEDNAME-OF-A-GROUP return role Staff.
So with one source you could match users and computers. Make
sure the device engages Computer Auth AND user authentication
when the user logs in.
Thanks,
*Ludovic Zammit*
*Product Support Engineer Principal*
*Cell:* +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>
<http://blogs.akamai.com/>
<https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdrlq3EAA$>
<https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjcV9W7f0g$>
<https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfRhxxCjQ$>
<https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdcx14Pdg$>
On Jan 18, 2022, at 4:17 AM, Mathieu Valois via
PacketFence-users <[email protected]>
wrote:
Hello,
I would like to authenticate both machine and user using an
AD authentication source. I've made 2 authentication sources:
one for machine and one for users, following the installation
guide.
In the Standard Connection Profiles I've set the both sources
and used an ALL (AND) operator. However it looks like only
the first matching source is used.
Is it expected?
Thank you for your help,
--
<MDdkJhLo6CgYFu8x.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain -
35500 Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VKECDYWT$>
<zXQgUtk0rgAZZaFb.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VEPyuRvg$>
<hURYnnFL0yTTPX0a.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VNwFeith$>
<0PehPQD0bSJrXsPX.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VIq-SVFI$>
<l5R9ar0Nx6hgxZtC.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VBaz58ef$>
<FXBh0PLSKkZ8pPLJ.png>
_______________________________________________
PacketFence-users mailing list
[email protected]
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Gk6qQsfJSQEo7SbSOBPX5DfTSZ1QK2T69A58mvR_NODUgY-2cNJsJm-_VCvC0oea$
--
<eYLfl8URDEBIGOtk.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain -
35500 Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeKGEcr9Q$>
<xjVDBF7E93SPIJEz.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeRLpCAvw$>
<LIJvLZvDoCgKftBs.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjdbYGaXlQ$>
<ULwTYf9XcQrmdbnG.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjeAOAr6iw$>
<KtQ30x2sw8c1lPDa.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!GICmSRSgVGPaGM9agZ-EqcGZqirm4AsA50El63U6ZzMmyytwtnAuTjfuuiaFNg$>
<cqj7OEQA0v0hmKHC.png>
--
<q8eXqEmws99tZ3oo.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmGaAs46w$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain -
35500 Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKmGaAs46w$>
<WBsDOnQY6NjtenU1.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKlrsrCPdw$>
<0i3jO0wpc2fwpGZe.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKk4velZvQ$>
<dWuKwI4WIXupHlJm.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKnnrbJ1nA$>
<oN2Au7dwZOIF7IDd.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!EHerYH68Ku09DAXxoA7lASkmQdNka0CXP_HbEbVHU4bFmUBsg69eHKk35Ges-Q$>
<9pVhMuHPT46iX4R9.png>
--
<emWwxCs0eAfJTkOJ.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOYWZLezA$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500
Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOYWZLezA$>
<yrTQerOiMnVD29gK.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByPvISHyMQ$>
<Sx4EjEU1zyJsoa00.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByNV9W8NGg$>
<WcVKopdCh8zpK15I.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOBHJARLg$>
<nxIrBVw8RDDijbVz.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!BEfuF6GyiQk9zJNtCJBWCyPIvoRCdVj8tDbkpyJPU_UCIdGqRqPxByOI7qL2RQ$>
<4c8l3U7tc1RU3gLN.png>
--
<SV6bnMzK1DGYNp9y.png>
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!HnxlYRBeqiKw5WUZOeAvdg6d2YeVDynDZqGMAOp_NLRb_MavwfJfd1Ls_Ety0g$>
*Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré
02 72 34 13 20 | www.teicee.com
<https://urldefense.com/v3/__https://www.teicee.com/?pk_campaign=Email__;!!GjvTz_vk!HnxlYRBeqiKw5WUZOeAvdg6d2YeVDynDZqGMAOp_NLRb_MavwfJfd1Ls_Ety0g$>
<Gc3dBWJIotLf00Z8.png>
<https://urldefense.com/v3/__https://www.facebook.com/teicee__;!!GjvTz_vk!HnxlYRBeqiKw5WUZOeAvdg6d2YeVDynDZqGMAOp_NLRb_MavwfJfd1Kj5H5RoQ$>
<ZLeQi5JXZ00cxbOT.png>
<https://urldefense.com/v3/__https://twitter.com/Teicee_fr__;!!GjvTz_vk!HnxlYRBeqiKw5WUZOeAvdg6d2YeVDynDZqGMAOp_NLRb_MavwfJfd1Ll1pBUfA$>
<1WaS6m0oZVwR4uYK.png>
<https://urldefense.com/v3/__https://www.linkedin.com/company/t-c-e__;!!GjvTz_vk!HnxlYRBeqiKw5WUZOeAvdg6d2YeVDynDZqGMAOp_NLRb_MavwfJfd1Jady8NWA$>
<3ien9NKQ4fWYYZG2.png>
<https://urldefense.com/v3/__https://fr.viadeo.com/fr/company/teicee__;!!GjvTz_vk!HnxlYRBeqiKw5WUZOeAvdg6d2YeVDynDZqGMAOp_NLRb_MavwfJfd1JnVLn8iQ$>
<IAnooyC90tVFyrMX.png>
--
téïcée <https://www.teicee.com/?pk_campaign=Email> *Mathieu Valois*
Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760
Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré
02 72 34 13 20 | www.teicee.com <https://www.teicee.com/?pk_campaign=Email>
téïcée sur facebook <https://www.facebook.com/teicee> téïcée sur twitter
<https://twitter.com/Teicee_fr> téïcée sur linkedin
<https://www.linkedin.com/company/t-c-e> téïcée sur viadeo
<https://fr.viadeo.com/fr/company/teicee> Datadocké
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
