Hello packetfence community, I implemented 802.1x auth (Ethernet-EAP) against a Windows AD. Both, machine an user accounts, are working. Great so far! After that I implement MAC-Based auth for printers. Switch config is fine as I see a request in logs:
Jun 24 07:56:45 nac01 packetfence_httpd.aaa[29221]: httpd.aaa(1439) INFO: [mac:9c:ae:d3:aa:7b:29] handling radius autz request: from switch_ip => (10.10.101.1), connection_type => Ethernet-NoEAP,switch_mac => (94:f1:28:18:fc:b6), mac => [9c:ae:d3:aa:7b:29], port => 74, username => "9caed3aa7b29" (pf::radius::authorize) Jun 24 07:56:45 nac01 packetfence_httpd.aaa[29221]: httpd.aaa(1439) INFO: [mac:9c:ae:d3:aa:7b:29] Instantiate profile mac-auth-ethernet (pf::Connection::ProfileFactory::_from_profile) If I create a new node with the MAC the node is authenticated and VLAN will be assigned in RADIUS answer. Is there a way to authenticate the Ethernet-NoEAP request against a AD object? The idea behind that: create objects in ad with the MAC address and manage the printers there. What I tried so far: * New AD user with name and password set to MAC address: not working * New AD computer with attribute "uid" set to MAC address and adjust Authentication Source Username Attribute to "uid": not working Log is always the same: Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) INFO: [mac:9c:ae:d3:aa:7b:29] handling radius autz request: from switch_ip => (10.10.101.1), connection_type => Ethernet-NoEAP,switch_mac => (94:f1:28:18:fc:b6), mac => [9c:ae:d3:aa:7b:29], port => 74, username => "9caed3aa7b29" (pf::radius::authorize) Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) INFO: [mac:9c:ae:d3:aa:7b:29] Instantiate profile mac-auth-ethernet (pf::Connection::ProfileFactory::_from_profile) Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) INFO: [mac:9c:ae:d3:aa:7b:29] Found authentication source(s) : 'printer' for realm 'null' (pf::config::util::filter_authentication_sources) Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) INFO: [mac:9c:ae:d3:aa:7b:29] Connection type is MAC-AUTH. Getting role from Authorization source (pf::role::getRegisteredRole) Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) WARN: [mac:9c:ae:d3:aa:7b:29] Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. (pf::role::getRegisteredRole) Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) INFO: [mac:9c:ae:d3:aa:7b:29] Username was NOT defined or unable to match a role - returning node based role '' (pf::role::getRegisteredRole) Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) INFO: [mac:9c:ae:d3:aa:7b:29] PID: "default", Status: reg Returned VLAN: (undefined), Role: (undefined) (pf::role::fetchRoleForNode) Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) WARN: [mac:9c:ae:d3:aa:7b:29] Use of uninitialized value $vlanName in hash element at /usr/local/pf/lib/pf/Switch.pm line 635. (pf::Switch::getVlanByName) Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) WARN: [mac:9c:ae:d3:aa:7b:29] Use of uninitialized value $name in exists at /usr/local/pf/lib/pf/Switch.pm line 669. (pf::Switch::_parentRoleForVlan) Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) WARN: [mac:9c:ae:d3:aa:7b:29] Use of uninitialized value $vlanName in concatenation (.) or string at /usr/local/pf/lib/pf/Switch.pm line 642. (pf::Switch::getVlanByName) Jun 24 08:09:37 nac01 packetfence_httpd.aaa[2020]: httpd.aaa(1420) WARN: [mac:9c:ae:d3:aa:7b:29] No parameter Vlan found in conf/switches.conf for the switch 10.10.101.1 (pf::Switch::getVlanByName) * Any idea/hint how to store the printer information in AD and verify it from packetfence with Ethernet-NoEAP? Thank you all and have a great day!
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
