Menu
▾
▴
Re: [PacketFence-users] Packetfence not moving to next source in list
|
From: Durand f. <fd...@in...> - 2019-10-14 22:23:41
|
Hello Jordan, The logic needs to be added in Freeradius, since freeradius does the 802.1x. In fact you need to do something like that: https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Installation_Guide.asciidoc#eap-authentication-against-openldap But in this section: authorize { suffix ntdomain eap { ok = return } files openldap if (found) { update control { &MS-CHAP-Use-NTLM-Auth := No } } So it mean that if the user is found in openldap (in you case gsuite) then disable ntlm_auth. Let me know if you need more details. Regards Fabrice Le 19-10-14 à 16 h 09, Jordan Dare a écrit : > Hi Durand, > > I have it setup like the second option you mentioned(EAP-TTLS/PAP), > however the issue is that it tries NTLM auth no matter what order I > have everything in, which fails for student accounts, and it stops > when NTLM auth fails instead of moving on to the next source. > > On Sun, Oct 13, 2019 at 4:57 AM Durand fabrice <fd...@in...> wrote: >> Hello Jordan, >> >> yes you can do that on the captive portal. >> >> You just need to create a connection profile with a rule that match per >> example the ssid and assign it the authentication source you want to use >> (in first position the student one and the in 2nd position the staff one). >> >> The other option should be to do EAP-TTLS/PAP for the student and >> configure Freeradius to talk to G suite via ldap. (I don't have a G >> suite account so i can't test but it should work). >> >> Regards >> >> Fabrice >> >> >> Le 19-10-11 à 22 h 11, Jordan Dare a écrit : >>> Hi Durand, >>> >>> Thanks for your reply. >>> >>> Is it possible to have it check the student source first, then if it >>> fails go to AD? or something like that? G Suite doesn't normally do >>> 802.1x, but they have an LDAP server you can authenticate against >>> which is what I'm trying to do. >>> >>> Thanks! >>> >>> On Fri, Oct 11, 2019 at 5:45 PM Durand fabrice via PacketFence-users >>> <pac...@li...> wrote: >>>> Hello Jordan, >>>> >>>> the error message is related to ntlm, so it mean that it try to >>>> authenticate the student account on the AD. >>>> >>>> When it fail in freeradius then the radius request doesn't reach the >>>> packetfence code to test the authentication sources with the rules. >>>> >>>> So you need to find a way to authenticate your student with 802.1x and >>>> is it possible to do 802.1x with G suite ? >>>> >>>> Regards >>>> >>>> Fabrice >>>> >>>> >>>> Le 19-10-03 à 16 h 23, Jordan Dare via PacketFence-users a écrit : >>>>> Hi all, >>>>> >>>>> I'm having issues getting a wireless profile to use the secondary LDAP >>>>> source instead of the Active Directory source when authentication >>>>> fails. >>>>> >>>>> What I have is our internal AD server that has all staff accounts, >>>>> etc. And an stunnel proxy to G-Suite LDAP which contains our student >>>>> accounts. >>>>> >>>>> What I want to happen is if authentication fails for the first Active >>>>> Directory source, it then tries the stunnel G Suite LDAP, however it >>>>> seems to hit the AD source, get a "authentication failed", and then >>>>> stop there. >>>>> >>>>> Here's what the "RADIUS" tab on the failed authentication shows: >>>>> Module-Failure-Message = "chrooted_mschap: Program returned code (1) >>>>> and output 'The attempted logon is invalid. This is either due to a >>>>> bad username or authentication information. (0xc000006d)'" >>>>> Module-Failure-Message = "chrooted_mschap: External script says: The >>>>> attempted logon is invalid. This is either due to a bad username or >>>>> authentication information. (0xc000006d)" >>>>> Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect" >>>>> User-Password = "******" >>>>> Module-Failure-Message = "Failed retrieving values required to >>>>> evaluate condition" >>>>> >>>>> Thanks. >>>>> -- >>>>> >>>>> Jordan Dare >>>>> >>>>> Information Technology Specialist >>>>> >>>>> Morgan Hill Unified School District >>>>> >>>>> >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> Pac...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> Pac...@li... >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> > > |
