Menu
▾
▴
Re: [PacketFence-users] Packetfence not moving to next source in list
|
From: Durand f. <fd...@in...> - 2019-10-15 23:15:02
|
Hello Jordan, my bad this doc is based on freeradius 2, so check in mods-enabled the file ldap (the syntax is close to be the same) Regards Fabrice https://support.google.com/a/answer/9048434?hl=en&ref_topic=9173976 https://community.ui.com/questions/Guide-to-get-Unifi-FreeRadius-Google-LDAP-G-Suite-set-up-in-docker/36af593f-73b1-4943-8e22-9a81b10db9ae Le 19-10-15 à 12 h 33, Jordan Dare a écrit : > Hi Durand, > > I don't have a "/usr/local/pf/raddb/modules" folder. > > Is this something I need to create, or could it be in another folder > instead? I do have "/usr/local/pf/radbb/mods-available" and > "mods-enabled", but I don't know if these are the correct folders. > > Thank you so much for your help! > > On Mon, Oct 14, 2019 at 3:23 PM Durand fabrice <fd...@in...> wrote: >> Hello Jordan, >> >> The logic needs to be added in Freeradius, since freeradius does the >> 802.1x. >> >> In fact you need to do something like that: >> >> https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Installation_Guide.asciidoc#eap-authentication-against-openldap >> >> But in this section: >> >> authorize { >> suffix >> ntdomain >> eap { >> ok = return >> } >> files >> openldap >> >> if (found) { >> >> update control { >> &MS-CHAP-Use-NTLM-Auth := No >> } >> >> } >> >> >> So it mean that if the user is found in openldap (in you case gsuite) >> then disable ntlm_auth. >> >> Let me know if you need more details. >> >> Regards >> >> Fabrice >> >> >> Le 19-10-14 à 16 h 09, Jordan Dare a écrit : >>> Hi Durand, >>> >>> I have it setup like the second option you mentioned(EAP-TTLS/PAP), >>> however the issue is that it tries NTLM auth no matter what order I >>> have everything in, which fails for student accounts, and it stops >>> when NTLM auth fails instead of moving on to the next source. >>> >>> On Sun, Oct 13, 2019 at 4:57 AM Durand fabrice <fd...@in...> wrote: >>>> Hello Jordan, >>>> >>>> yes you can do that on the captive portal. >>>> >>>> You just need to create a connection profile with a rule that match per >>>> example the ssid and assign it the authentication source you want to use >>>> (in first position the student one and the in 2nd position the staff one). >>>> >>>> The other option should be to do EAP-TTLS/PAP for the student and >>>> configure Freeradius to talk to G suite via ldap. (I don't have a G >>>> suite account so i can't test but it should work). >>>> >>>> Regards >>>> >>>> Fabrice >>>> >>>> >>>> Le 19-10-11 à 22 h 11, Jordan Dare a écrit : >>>>> Hi Durand, >>>>> >>>>> Thanks for your reply. >>>>> >>>>> Is it possible to have it check the student source first, then if it >>>>> fails go to AD? or something like that? G Suite doesn't normally do >>>>> 802.1x, but they have an LDAP server you can authenticate against >>>>> which is what I'm trying to do. >>>>> >>>>> Thanks! >>>>> >>>>> On Fri, Oct 11, 2019 at 5:45 PM Durand fabrice via PacketFence-users >>>>> <pac...@li...> wrote: >>>>>> Hello Jordan, >>>>>> >>>>>> the error message is related to ntlm, so it mean that it try to >>>>>> authenticate the student account on the AD. >>>>>> >>>>>> When it fail in freeradius then the radius request doesn't reach the >>>>>> packetfence code to test the authentication sources with the rules. >>>>>> >>>>>> So you need to find a way to authenticate your student with 802.1x and >>>>>> is it possible to do 802.1x with G suite ? >>>>>> >>>>>> Regards >>>>>> >>>>>> Fabrice >>>>>> >>>>>> >>>>>> Le 19-10-03 à 16 h 23, Jordan Dare via PacketFence-users a écrit : >>>>>>> Hi all, >>>>>>> >>>>>>> I'm having issues getting a wireless profile to use the secondary LDAP >>>>>>> source instead of the Active Directory source when authentication >>>>>>> fails. >>>>>>> >>>>>>> What I have is our internal AD server that has all staff accounts, >>>>>>> etc. And an stunnel proxy to G-Suite LDAP which contains our student >>>>>>> accounts. >>>>>>> >>>>>>> What I want to happen is if authentication fails for the first Active >>>>>>> Directory source, it then tries the stunnel G Suite LDAP, however it >>>>>>> seems to hit the AD source, get a "authentication failed", and then >>>>>>> stop there. >>>>>>> >>>>>>> Here's what the "RADIUS" tab on the failed authentication shows: >>>>>>> Module-Failure-Message = "chrooted_mschap: Program returned code (1) >>>>>>> and output 'The attempted logon is invalid. This is either due to a >>>>>>> bad username or authentication information. (0xc000006d)'" >>>>>>> Module-Failure-Message = "chrooted_mschap: External script says: The >>>>>>> attempted logon is invalid. This is either due to a bad username or >>>>>>> authentication information. (0xc000006d)" >>>>>>> Module-Failure-Message = "chrooted_mschap: MS-CHAP2-Response is incorrect" >>>>>>> User-Password = "******" >>>>>>> Module-Failure-Message = "Failed retrieving values required to >>>>>>> evaluate condition" >>>>>>> >>>>>>> Thanks. >>>>>>> -- >>>>>>> >>>>>>> Jordan Dare >>>>>>> >>>>>>> Information Technology Specialist >>>>>>> >>>>>>> Morgan Hill Unified School District >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> Pac...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> Pac...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> > > |
