Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AD Machine Authentication #8510

Open
coreykeeling opened this issue Jan 21, 2025 · 1 comment
Open

AD Machine Authentication #8510

coreykeeling opened this issue Jan 21, 2025 · 1 comment
Assignees
@stgmsa
Labels
Type: Bug

Comments

@coreykeeling
Copy link

Describe the bug
Unable to authenticate with AD using computer authentication. PacketFence logs look like it is looking up the device, but can't find it. It's able to lookup users fine.

2025-01-21T15:15:43.899412+00:00 ULCCNAC03 httpd.aaa-docker-wrapper[3104]: httpd.aaa(7) INFO: [mac:18:5e:0f:cc:21:49] handling radius autz request: from switch_ip => (10.29.x.x), connection_type => Wireless-802.11-EAP, switch_mac => (30:cb:c7:54:8d:12), mac => [18:5e:0f:cc:21:49], port => 0, username => "COL-ELT-05.pfa.education", ssid => ULCC-IT (pf::radius::authorize)
2025-01-21T15:15:43.936129+00:00 ULCCNAC03 httpd.aaa-docker-wrapper[3104]: httpd.aaa(7) WARN: [mac:18:5e:0f:cc:21:49] [AD-MachineAuthentication Curriculum] Searching for (servicePrincipalName=COL-ELT-05.pfa.education), from OU=Computers,OU=PFA,DC=pfa,DC=education, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
2025-01-21T15:15:44.003214+00:00 ULCCNAC03 httpd.aaa-docker-wrapper[3104]: httpd.aaa(7) WARN: [mac:18:5e:0f:cc:21:49] [AD-MachineAuthentication Catch-All] Searching for (servicePrincipalName=COL-ELT-05.pfa.education), from OU=Computers,OU=PFA,DC=pfa,DC=education, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
2025-01-21T15:15:44.005368+00:00 ULCCNAC03 httpd.aaa-docker-wrapper[3104]: httpd.aaa(7) WARN: [mac:18:5e:0f:cc:21:49] No role specified or found for pid COL-ELT-05.pfa.education (MAC 18:5e:0f:cc:21:49); assume maximum number of registered nodes is reached (pf::node::is_max_reg_nodes_reached)
2025-01-21T15:15:44.005679+00:00 ULCCNAC03 httpd.aaa-docker-wrapper[3104]: httpd.aaa(7) ERROR: [mac:18:5e:0f:cc:21:49] no role computed by any sources - registration of 18:5e:0f:cc:21:49 to COL-ELT-05.pfa.education failed

To Reproduce

  1. Connect PacketFence to AD.
    [ULCCNAC03 PFA]
    ad_account_lockout_threshold=0
    ntlm_auth_host=127.0.0.1
    machine_account_password=
    ad_server=10.28.x.x
    password_is_nt_hash=1
    max_allowed_password_attempts_per_device=0
    ad_old_password_allowed_period=60
    workgroup=pfa
    ad_account_lockout_duration=30
    status=enabled
    ou=Computers
    server_name=%h
    ntlm_cache_expiry=3600
    ad_reset_account_lockout_counter_after=30
    nt_key_cache_enabled=disabled
    dns_name=pfa.education
    dns_servers=10.28.x.x
    sticky_dc=*
    nt_key_cache_expire=12000
    ad_fqdn=,redact>.pfa.education
    ntlm_auth_port=5000

  2. create a realm
    [pfa.education]
    permit_custom_attributes=disabled
    eduroam_radius_acct_proxy_type=load-balance
    radius_acct=
    eduroam_radius_acct=
    eduroam_radius_auth_proxy_type=keyed-balance
    radius_auth_proxy_type=keyed-balance
    eduroam_radius_auth=
    admin_strip_username=enabled
    eap=default
    radius_acct_proxy_type=load-balance
    radius_auth_compute_in_pf=enabled
    portal_strip_username=enabled
    domain=PFA
    radius_strip_username=enabled
    radius_auth=
    eduroam_radius_auth_compute_in_pf=enabled

  3. Create an authentication source
    [AD-MachineAuthentication]
    connection_timeout=5
    encryption=none
    searchattributes=
    password=
    type=AD
    basedn=OU=Computers,OU=PFA,DC=pfa,DC=education
    monitor=1
    host=,redacted>.pfa.education
    scope=sub
    description=Machine authentication against AD.
    set_access_durations_action=
    write_timeout=5
    dead_duration=60
    email_attribute=mail
    shuffle=0
    port=389
    use_connector=1
    verify=none
    binddn=CN=PacketFence - LDAP,OU=Service Accounts,OU=Users,OU=PFA,DC=pfa,DC=education
    usernameattribute=servicePrincipalName
    realms=pfa.education
    read_timeout=10
    cache_match=0

[AD-MachineAuthentication rule Curriculum]
status=enabled
action0=set_role=ad_machine
class=authentication
condition0=ldap:memberOf,is member of,CN=Domain Computers,CN=Users,DC=pfa,DC=education
action1=set_access_duration=5D
match=all

[AD-MachineAuthentication rule Catch-All]
class=authentication
match=all
action1=set_access_duration=1h
action0=set_role=REJECT
status=enabled

  1. Create a connection profile
    [ULCC-Curriculum]
    filter_match_style=all
    sources=AD-MachineAuthentication
    autoregister=enabled
    advanced_filter=
    locale=
    filter=connection_type:Wireless-802.11-EAP,ssid:ULCC-IT

  2. Create a Windows Wi-Fi profile with 802.11x computer authentication.
    Microsoft: Smart Card or other certificate (EAP-TLS)

  3. Try and connect and get an error saying unable to connect, and on the audit section in PacketFence, it will say it was rejected.

Screenshots
servicePrincipalName for the device I have tried to authenticate.

Image

Expected behaviour
I expect the computer to authenticate to PacketFence.

Desktop (please complete the following information):
Windows 10 22H2.
@coreykeeling
Copy link
Author

I was wondering if there is any update on this bug?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stgmsa stgmsa

Labels
Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stgmsa @coreykeeling