Discussion:
[PacketFence-users] mab+802.1x authentication
luca comes
2017-05-29 14:12:13 UTC
Permalink
Hi all,

I succesfully configured last release of PF with Cisco Catalyst 3750G to perform 802.1x authentication over my AD Domain.

I'm studying the solution because the intention is to deploy it on all my sites (more or less 15 sites and 1000 users). Actually the server is located on our datacenter in out-of-band deployment and locally on my test site I've configured registration and isolation VLAN even if they are not used in 802.1x environment. The problem now is that I need to permit AD authentication on PC's where credentials are not in client's cache but at the begininning neither IP traffic nor DHCP is permitted so users can't access the network. I thought that a solution could be perform to factor authentication so at the start of the process I could use MAB authentication and put them on the registration VLAN opened to access the AD. But then I need to do 802.1x user authentication without pass through the registration portal, is that possible? Is there a better way to deploy a solution like that?


Thank you in advance


Luca
Pedro Simões
2017-05-29 15:06:46 UTC
Permalink
I think for that scenario you need to use machine authentication.



From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To: packetfence-***@lists.sourceforge.net
Subject: [PacketFence-users] mab+802.1x authentication



Hi all,

I succesfully configured last release of PF with Cisco Catalyst 3750G to
perform 802.1x authentication over my AD Domain.

I'm studying the solution because the intention is to deploy it on all my
sites (more or less 15 sites and 1000 users). Actually the server is located
on our datacenter in out-of-band deployment and locally on my test site I've
configured registration and isolation VLAN even if they are not used in
802.1x environment. The problem now is that I need to permit AD
authentication on PC's where credentials are not in client's cache but at
the begininning neither IP traffic nor DHCP is permitted so users can't
access the network. I thought that a solution could be perform to factor
authentication so at the start of the process I could use MAB authentication
and put them on the registration VLAN opened to access the AD. But then I
need to do 802.1x user authentication without pass through the registration
portal, is that possible? Is there a better way to deploy a solution like
that?



Thank you in advance



Luca
luca comes
2017-05-29 15:34:23 UTC
Permalink
Hi Pedro,

yes I think so but I don't understand how to do this. I need to do a new connection profile for it? At the moment I have only one connection profile other than the default that take care of users. I'm really confused.


Thanks


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Pedro Simões <***@layer8.pt>
Inviato: lunedì 29 maggio 2017 17:06
A: packetfence-***@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] mab+802.1x authentication


I think for that scenario you need to use machine authentication.



From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To: packetfence-***@lists.sourceforge.net
Subject: [PacketFence-users] mab+802.1x authentication



Hi all,

I succesfully configured last release of PF with Cisco Catalyst 3750G to perform 802.1x authentication over my AD Domain.

I'm studying the solution because the intention is to deploy it on all my sites (more or less 15 sites and 1000 users). Actually the server is located on our datacenter in out-of-band deployment and locally on my test site I've configured registration and isolation VLAN even if they are not used in 802.1x environment. The problem now is that I need to permit AD authentication on PC's where credentials are not in client's cache but at the begininning neither IP traffic nor DHCP is permitted so users can't access the network. I thought that a solution could be perform to factor authentication so at the start of the process I could use MAB authentication and put them on the registration VLAN opened to access the AD. But then I need to do 802.1x user authentication without pass through the registration portal, is that possible? Is there a better way to deploy a solution like that?



Thank you in advance



Luca
Antoine Amacher
2017-05-29 15:55:26 UTC
Permalink
Hello Lucas,


To use MachineAuthentication, create an AD source like the one used for
your UserAuthentiction, replace the Username attribute: "sAMAccountName"
by "ServicePrincipalName". That will allow you to do
MachineAuthentication. Make sure to add this source on your connection
profile.


If the machine is in the domain with a valid machine account then it
will be able to authenticate.


To properly test MachineAuthentication, make sure that it is allowed or
enforced in the 802.1x supplicant configuration.


Thanks


On 05/29/2017 11:34 AM, luca comes wrote:
>
> Hi Pedro,
>
> yes I think so but I don't understand how to do this. I need to do a
> new connection profile for it? At the moment I have only one
> connection profile other than the default that take care of users. I'm
> really confused.
>
>
> Thanks
>
>
> Luca
>
>
> Inviato da Outlook <http://aka.ms/weboutlook>
>
>
>
> ------------------------------------------------------------------------
> *Da:* Pedro Simões <***@layer8.pt>
> *Inviato:* lunedì 29 maggio 2017 17:06
> *A:* packetfence-***@lists.sourceforge.net
> *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication
>
> I think for that scenario you need to use machine authentication.
>
> *From:*luca comes [mailto:***@hotmail.it]
> *Sent:* Monday, May 29, 2017 3:12 PM
> *To:* packetfence-***@lists.sourceforge.net
> *Subject:* [PacketFence-users] mab+802.1x authentication
>
> Hi all,
>
> I succesfully configured last release of PF with Cisco Catalyst 3750G
> to perform 802.1x authentication over my AD Domain.
>
> I'm studying the solution because the intention is to deploy it on all
> my sites (more or less 15 sites and 1000 users). Actually the server
> is located on our datacenter in out-of-band deployment and locally on
> my test site I've configured registration and isolation VLAN even if
> they are not used in 802.1x environment. The problem now is that I
> need to permit AD authentication on PC's where credentials are not in
> client's cache but at the begininning neither IP traffic nor DHCP is
> permitted so users can't access the network. I thought that a solution
> could be perform to factor authentication so at the start of the
> process I could use MAB authentication and put them on the
> registration VLAN opened to access the AD. But then I need to do
> 802.1x user authentication without pass through the registration
> portal, is that possible? Is there a better way to deploy a solution
> like that?
>
> Thank you in advance
>
> Luca
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Pedro Simões
2017-05-29 16:12:10 UTC
Permalink
This might help also:
https://support.microsoft.com/en-us/help/929847/how-to-enable-computer-only-
authentication-for-an-802.1x-based-network-in-windows-vista,-in-windows-serv
er-2008,-and-in-windows-xp-service-pack-3


From: Antoine Amacher [mailto:***@inverse.ca]
Sent: Monday, May 29, 2017 4:55 PM
To: packetfence-***@lists.sourceforge.net
Subject: Re: [PacketFence-users] mab+802.1x authentication

Hello Lucas,

To use MachineAuthentication, create an AD source like the one used for your
UserAuthentiction, replace the Username attribute: "sAMAccountName" by
"ServicePrincipalName". That will allow you to do MachineAuthentication.
Make sure to add this source on your connection profile.

If the machine is in the domain with a valid machine account then it will be
able to authenticate.

To properly test MachineAuthentication, make sure that it is allowed or
enforced in the 802.1x supplicant configuration.

Thanks

On 05/29/2017 11:34 AM, luca comes wrote:
Hi Pedro,
yes I think so but I don't understand how to do this. I need to do a new
connection profile for it? At the moment I have only one connection profile
other than the default that take care of users. I'm really confused.

Thanks

Luca

Inviato da Outlook

________________________________________
Da: Pedro Simões <***@layer8.pt>
Inviato: lunedì 29 maggio 2017 17:06
A: packetfence-***@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] mab+802.1x authentication
 
I think for that scenario you need to use machine authentication.
 
From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To: packetfence-***@lists.sourceforge.net
Subject: [PacketFence-users] mab+802.1x authentication
 
Hi all,
I succesfully configured last release of PF with Cisco Catalyst 3750G to
perform 802.1x authentication over my AD Domain. 
I'm studying the solution because the intention is to deploy it on all my
sites (more or less 15 sites and 1000 users). Actually the server is located
on our datacenter in out-of-band deployment and locally on my test site I've
configured registration and isolation VLAN even if they are not used in
802.1x environment. The problem now is that I need to permit AD
authentication on PC's where credentials are not in client's cache but at
the begininning neither IP traffic nor DHCP is permitted so users can't
access the network. I thought that a solution could be perform to factor
authentication so at the start of the process I could use MAB authentication
and put them on the registration VLAN opened to access the AD. But then I
need to do 802.1x user authentication without pass through the registration
portal, is that possible? Is there a better way to deploy a solution like
that?
 
Thank you in advance
 
Luca



----------------------------------------------------------------------------
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



_______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
luca comes
2017-05-30 08:17:58 UTC
Permalink
hi Antoine,

thank you for your help. I tried with the new profile and I can do machine authentication now. But I have a problem, at the first step I do machine auth to put the hosts on a dedicated VLAN that can see only active directory and nothing more. At this step the user can authenticate on the machine or change AD password and so on. But when the user is logged on I want put them on another VLAN based on the role associated to the AD group? At the moment the user is authenticated so I can see the node status registered to the user with the correct role but no VLAN change is made. Is that possible?


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Antoine Amacher <***@inverse.ca>
Inviato: lunedì 29 maggio 2017 17:55
A: packetfence-***@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] mab+802.1x authentication


Hello Lucas,


To use MachineAuthentication, create an AD source like the one used for your UserAuthentiction, replace the Username attribute: "sAMAccountName" by "ServicePrincipalName". That will allow you to do MachineAuthentication. Make sure to add this source on your connection profile.


If the machine is in the domain with a valid machine account then it will be able to authenticate.


To properly test MachineAuthentication, make sure that it is allowed or enforced in the 802.1x supplicant configuration.


Thanks

On 05/29/2017 11:34 AM, luca comes wrote:

Hi Pedro,

yes I think so but I don't understand how to do this. I need to do a new connection profile for it? At the moment I have only one connection profile other than the default that take care of users. I'm really confused.


Thanks


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Pedro Simões <***@layer8.pt><mailto:***@layer8.pt>
Inviato: lunedì 29 maggio 2017 17:06
A: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Oggetto: Re: [PacketFence-users] mab+802.1x authentication


I think for that scenario you need to use machine authentication.



From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Subject: [PacketFence-users] mab+802.1x authentication



Hi all,

I succesfully configured last release of PF with Cisco Catalyst 3750G to perform 802.1x authentication over my AD Domain.

I'm studying the solution because the intention is to deploy it on all my sites (more or less 15 sites and 1000 users). Actually the server is located on our datacenter in out-of-band deployment and locally on my test site I've configured registration and isolation VLAN even if they are not used in 802.1x environment. The problem now is that I need to permit AD authentication on PC's where credentials are not in client's cache but at the begininning neither IP traffic nor DHCP is permitted so users can't access the network. I thought that a solution could be perform to factor authentication so at the start of the process I could use MAB authentication and put them on the registration VLAN opened to access the AD. But then I need to do 802.1x user authentication without pass through the registration portal, is that possible? Is there a better way to deploy a solution like that?



Thank you in advance



Luca



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



_______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net<mailto:PacketFence-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Antoine Amacher
***@inverse.ca<mailto:***@inverse.ca> :: www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>)
Antoine Amacher
2017-05-30 13:39:38 UTC
Permalink
Hello Luca,


For this case make sure the authentication type selected on the
supplicant is "User authentication or Machine authentication", make sure
both user and machine AD sources are enable on the connection profile.

This will allow for the machine to do MachineAuth when nobody is logged
in on the machine, and when a User logged in it will do User
authentication.


So during MachineAuth, the device will be assign to VLAN X -> Only AD,
when user logged in, the device will be assign to VLAN Y -> User VLAN.


Thanks


On 05/30/2017 04:17 AM, luca comes wrote:
>
> hi Antoine,
>
> thank you for your help. I tried with the new profile and I can do
> machine authentication now. But I have a problem, at the first step I
> do machine auth to put the hosts on a dedicated VLAN that can see only
> active directory and nothing more. At this step the user can
> authenticate on the machine or change AD password and so on. But when
> the user is logged on I want put them on another VLAN based on the
> role associated to the AD group? At the moment the user is
> authenticated so I can see the node status registered to the user with
> the correct role but no VLAN change is made. Is that possible?
>
>
> Luca
>
>
> Inviato da Outlook <http://aka.ms/weboutlook>
>
>
>
> ------------------------------------------------------------------------
> *Da:* Antoine Amacher <***@inverse.ca>
> *Inviato:* lunedì 29 maggio 2017 17:55
> *A:* packetfence-***@lists.sourceforge.net
> *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication
>
> Hello Lucas,
>
>
> To use MachineAuthentication, create an AD source like the one used
> for your UserAuthentiction, replace the Username attribute:
> "sAMAccountName" by "ServicePrincipalName". That will allow you to do
> MachineAuthentication. Make sure to add this source on your connection
> profile.
>
>
> If the machine is in the domain with a valid machine account then it
> will be able to authenticate.
>
>
> To properly test MachineAuthentication, make sure that it is allowed
> or enforced in the 802.1x supplicant configuration.
>
>
> Thanks
>
>
> On 05/29/2017 11:34 AM, luca comes wrote:
>>
>> Hi Pedro,
>>
>> yes I think so but I don't understand how to do this. I need to do a
>> new connection profile for it? At the moment I have only one
>> connection profile other than the default that take care of users.
>> I'm really confused.
>>
>>
>> Thanks
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook <http://aka.ms/weboutlook>
>>
>>
>>
>> ------------------------------------------------------------------------
>> *Da:* Pedro Simões <***@layer8.pt>
>> *Inviato:* lunedì 29 maggio 2017 17:06
>> *A:* packetfence-***@lists.sourceforge.net
>> *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication
>>
>> I think for that scenario you need to use machine authentication.
>>
>> *From:*luca comes [mailto:***@hotmail.it]
>> *Sent:* Monday, May 29, 2017 3:12 PM
>> *To:* packetfence-***@lists.sourceforge.net
>> *Subject:* [PacketFence-users] mab+802.1x authentication
>>
>> Hi all,
>>
>> I succesfully configured last release of PF with Cisco Catalyst 3750G
>> to perform 802.1x authentication over my AD Domain.
>>
>> I'm studying the solution because the intention is to deploy it on
>> all my sites (more or less 15 sites and 1000 users). Actually the
>> server is located on our datacenter in out-of-band deployment and
>> locally on my test site I've configured registration and isolation
>> VLAN even if they are not used in 802.1x environment. The problem now
>> is that I need to permit AD authentication on PC's where credentials
>> are not in client's cache but at the begininning neither IP traffic
>> nor DHCP is permitted so users can't access the network. I thought
>> that a solution could be perform to factor authentication so at the
>> start of the process I could use MAB authentication and put them on
>> the registration VLAN opened to access the AD. But then I need to do
>> 802.1x user authentication without pass through the registration
>> portal, is that possible? Is there a better way to deploy a solution
>> like that?
>>
>> Thank you in advance
>>
>> Luca
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org!http://sdm.link/slashdot
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-***@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Antoine Amacher
> ***@inverse.ca ::www.inverse.ca
> +1.514.447.4918 x130 :: +1 (866) 353-6153 x130
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
luca comes
2017-05-31 07:24:28 UTC
Permalink
Hi Antoine,

I then tried and machine auth is working fine. The main problem is that when a user login it's not moved on the right VLAN. Debugging 802.1x requests on the switch I can see that dot1x timeout and it scale on mab authentication. So I have two questions:


1. Is there a way to force the client to send the user? I've configured it with the option user or machine authentication. Could it be a client's bug? I'm testing on a Windows 10 machine at the moment, I will try the same on a Windows 8 client;
2. When it switch on mab authentication it gets owner default and take a profile (named Test at the moment) but I don't understnad how to associate the profile associated to the mab auth;


Thanks


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Antoine Amacher <***@inverse.ca>
Inviato: martedì 30 maggio 2017 15:39
A: packetfence-***@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] mab+802.1x authentication


Hello Luca,


For this case make sure the authentication type selected on the supplicant is "User authentication or Machine authentication", make sure both user and machine AD sources are enable on the connection profile.

This will allow for the machine to do MachineAuth when nobody is logged in on the machine, and when a User logged in it will do User authentication.


So during MachineAuth, the device will be assign to VLAN X -> Only AD, when user logged in, the device will be assign to VLAN Y -> User VLAN.


Thanks

On 05/30/2017 04:17 AM, luca comes wrote:

hi Antoine,

thank you for your help. I tried with the new profile and I can do machine authentication now. But I have a problem, at the first step I do machine auth to put the hosts on a dedicated VLAN that can see only active directory and nothing more. At this step the user can authenticate on the machine or change AD password and so on. But when the user is logged on I want put them on another VLAN based on the role associated to the AD group? At the moment the user is authenticated so I can see the node status registered to the user with the correct role but no VLAN change is made. Is that possible?


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Antoine Amacher <***@inverse.ca><mailto:***@inverse.ca>
Inviato: lunedì 29 maggio 2017 17:55
A: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Oggetto: Re: [PacketFence-users] mab+802.1x authentication


Hello Lucas,


To use MachineAuthentication, create an AD source like the one used for your UserAuthentiction, replace the Username attribute: "sAMAccountName" by "ServicePrincipalName". That will allow you to do MachineAuthentication. Make sure to add this source on your connection profile.


If the machine is in the domain with a valid machine account then it will be able to authenticate.


To properly test MachineAuthentication, make sure that it is allowed or enforced in the 802.1x supplicant configuration.


Thanks

On 05/29/2017 11:34 AM, luca comes wrote:

Hi Pedro,

yes I think so but I don't understand how to do this. I need to do a new connection profile for it? At the moment I have only one connection profile other than the default that take care of users. I'm really confused.


Thanks


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Pedro Simões <***@layer8.pt><mailto:***@layer8.pt>
Inviato: lunedì 29 maggio 2017 17:06
A: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Oggetto: Re: [PacketFence-users] mab+802.1x authentication


I think for that scenario you need to use machine authentication.



From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Subject: [PacketFence-users] mab+802.1x authentication



Hi all,

I succesfully configured last release of PF with Cisco Catalyst 3750G to perform 802.1x authentication over my AD Domain.

I'm studying the solution because the intention is to deploy it on all my sites (more or less 15 sites and 1000 users). Actually the server is located on our datacenter in out-of-band deployment and locally on my test site I've configured registration and isolation VLAN even if they are not used in 802.1x environment. The problem now is that I need to permit AD authentication on PC's where credentials are not in client's cache but at the begininning neither IP traffic nor DHCP is permitted so users can't access the network. I thought that a solution could be perform to factor authentication so at the start of the process I could use MAB authentication and put them on the registration VLAN opened to access the AD. But then I need to do 802.1x user authentication without pass through the registration portal, is that possible? Is there a better way to deploy a solution like that?



Thank you in advance



Luca



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



_______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net<mailto:PacketFence-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Antoine Amacher
***@inverse.ca<mailto:***@inverse.ca> :: www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>)



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



_______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net<mailto:PacketFence-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Antoine Amacher
***@inverse.ca<mailto:***@inverse.ca> :: www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>)
Antoine Amacher
2017-05-31 20:19:45 UTC
Permalink
Hello Lucas,


1. I am pretty Windows does favor UserAuthentication if a User is logged
in and "User or Machine" is selected in the supplicant.

You could also setup the connection has UserAuth only, but then you lose
your Machine Authentication. Have a look in VLANfilters, there is a case
example where we want the endpoint to have a machine account before
allowed UserAuthentication. Which means every device matching this
filter will have to do Machine Auth first, then User Auth.

You could also reduce the timeout for 802.1x re-auth on the switch
configuration, which would foce a re-authentication from the device.


2. To force a profile to be used when the connection is MAB, simply add
a filter in the connection profile: 'Connection Type: WIRED_MAC_AUTH'.


Thanks


On 05/31/2017 03:24 AM, luca comes wrote:
>
> Hi Antoine,
>
> I then tried and machine auth is working fine. The main problem is
> that when a user login it's not moved on the right VLAN. Debugging
> 802.1x requests on the switch I can see that dot1x timeout and it
> scale on mab authentication. So I have two questions:
>
>
> 1. Is there a way to force the client to send the user? I've
> configured it with the option user or machine authentication.
> Could it be a client's bug? I'm testing on a Windows 10 machine at
> the moment, I will try the same on a Windows 8 client;
> 2. When it switch on mab authentication it gets owner default and
> take a profile (named Test at the moment) but I don't understnad
> how to associate the profile associated to the mab auth;
>
>
> Thanks
>
>
> Luca
>
>
> Inviato da Outlook <http://aka.ms/weboutlook>
>
>
>
> ------------------------------------------------------------------------
> *Da:* Antoine Amacher <***@inverse.ca>
> *Inviato:* martedì 30 maggio 2017 15:39
> *A:* packetfence-***@lists.sourceforge.net
> *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication
>
> Hello Luca,
>
>
> For this case make sure the authentication type selected on the
> supplicant is "User authentication or Machine authentication", make
> sure both user and machine AD sources are enable on the connection
> profile.
>
> This will allow for the machine to do MachineAuth when nobody is
> logged in on the machine, and when a User logged in it will do User
> authentication.
>
>
> So during MachineAuth, the device will be assign to VLAN X -> Only AD,
> when user logged in, the device will be assign to VLAN Y -> User VLAN.
>
>
> Thanks
>
>
> On 05/30/2017 04:17 AM, luca comes wrote:
>>
>> hi Antoine,
>>
>> thank you for your help. I tried with the new profile and I can do
>> machine authentication now. But I have a problem, at the first step I
>> do machine auth to put the hosts on a dedicated VLAN that can see
>> only active directory and nothing more. At this step the user can
>> authenticate on the machine or change AD password and so on. But when
>> the user is logged on I want put them on another VLAN based on the
>> role associated to the AD group? At the moment the user is
>> authenticated so I can see the node status registered to the user
>> with the correct role but no VLAN change is made. Is that possible?
>>
>>
>> Luca
>>
>>
>> Inviato da Outlook <http://aka.ms/weboutlook>
>>
>>
>>
>> ------------------------------------------------------------------------
>> *Da:* Antoine Amacher <***@inverse.ca>
>> *Inviato:* lunedì 29 maggio 2017 17:55
>> *A:* packetfence-***@lists.sourceforge.net
>> *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication
>>
>> Hello Lucas,
>>
>>
>> To use MachineAuthentication, create an AD source like the one used
>> for your UserAuthentiction, replace the Username attribute:
>> "sAMAccountName" by "ServicePrincipalName". That will allow you to do
>> MachineAuthentication. Make sure to add this source on your
>> connection profile.
>>
>>
>> If the machine is in the domain with a valid machine account then it
>> will be able to authenticate.
>>
>>
>> To properly test MachineAuthentication, make sure that it is allowed
>> or enforced in the 802.1x supplicant configuration.
>>
>>
>> Thanks
>>
>>
>> On 05/29/2017 11:34 AM, luca comes wrote:
>>>
>>> Hi Pedro,
>>>
>>> yes I think so but I don't understand how to do this. I need to do a
>>> new connection profile for it? At the moment I have only one
>>> connection profile other than the default that take care of users.
>>> I'm really confused.
>>>
>>>
>>> Thanks
>>>
>>>
>>> Luca
>>>
>>>
>>> Inviato da Outlook <http://aka.ms/weboutlook>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *Da:* Pedro Simões <***@layer8.pt>
>>> *Inviato:* lunedì 29 maggio 2017 17:06
>>> *A:* packetfence-***@lists.sourceforge.net
>>> *Oggetto:* Re: [PacketFence-users] mab+802.1x authentication
>>>
>>> I think for that scenario you need to use machine authentication.
>>>
>>> *From:*luca comes [mailto:***@hotmail.it]
>>> *Sent:* Monday, May 29, 2017 3:12 PM
>>> *To:* packetfence-***@lists.sourceforge.net
>>> *Subject:* [PacketFence-users] mab+802.1x authentication
>>>
>>> Hi all,
>>>
>>> I succesfully configured last release of PF with Cisco Catalyst
>>> 3750G to perform 802.1x authentication over my AD Domain.
>>>
>>> I'm studying the solution because the intention is to deploy it on
>>> all my sites (more or less 15 sites and 1000 users). Actually the
>>> server is located on our datacenter in out-of-band deployment and
>>> locally on my test site I've configured registration and isolation
>>> VLAN even if they are not used in 802.1x environment. The problem
>>> now is that I need to permit AD authentication on PC's where
>>> credentials are not in client's cache but at the begininning neither
>>> IP traffic nor DHCP is permitted so users can't access the network.
>>> I thought that a solution could be perform to factor authentication
>>> so at the start of the process I could use MAB authentication and
>>> put them on the registration VLAN opened to access the AD. But then
>>> I need to do 802.1x user authentication without pass through the
>>> registration portal, is that possible? Is there a better way to
>>> deploy a solution like that?
>>>
>>> Thank you in advance
>>>
>>> Luca
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org!http://sdm.link/slashdot
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-***@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Antoine Amacher
>> ***@inverse.ca ::www.inverse.ca
>> +1.514.447.4918 x130 :: +1 (866) 353-6153 x130
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org!http://sdm.link/slashdot
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-***@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Antoine Amacher
> ***@inverse.ca ::www.inverse.ca
> +1.514.447.4918 x130 :: +1 (866) 353-6153 x130
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Pedro Simões
2017-05-29 17:13:23 UTC
Permalink
Hi Luca,



I’m sorry if I can’t be of more help.

I actually have a 802.1x deployment with machine authentication in
production but that one doesn’t go through packetfence -> it works directly
with NPS. (And yes, in that case different profiles are configured in NPS
for machine and user authentication. They are not mutually exclusive in
NPS).

The packetfence deployment I have is mainly for guest access.



Pedro



From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 4:34 PM
To: packetfence-***@lists.sourceforge.net
Subject: Re: [PacketFence-users] mab+802.1x authentication



Hi Pedro,

yes I think so but I don't understand how to do this. I need to do a new
connection profile for it? At the moment I have only one connection profile
other than the default that take care of users. I'm really confused.



Thanks



Luca



Inviato da Outlook <http://aka.ms/weboutlook>



_____

Da: Pedro Simões <***@layer8.pt>
Inviato: lunedì 29 maggio 2017 17:06
A: packetfence-***@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] mab+802.1x authentication



I think for that scenario you need to use machine authentication.



From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To: packetfence-***@lists.sourceforge.net
Subject: [PacketFence-users] mab+802.1x authentication



Hi all,

I succesfully configured last release of PF with Cisco Catalyst 3750G to
perform 802.1x authentication over my AD Domain.

I'm studying the solution because the intention is to deploy it on all my
sites (more or less 15 sites and 1000 users). Actually the server is located
on our datacenter in out-of-band deployment and locally on my test site I've
configured registration and isolation VLAN even if they are not used in
802.1x environment. The problem now is that I need to permit AD
authentication on PC's where credentials are not in client's cache but at
the begininning neither IP traffic nor DHCP is permitted so users can't
access the network. I thought that a solution could be perform to factor
authentication so at the start of the process I could use MAB authentication
and put them on the registration VLAN opened to access the AD. But then I
need to do 802.1x user authentication without pass through the registration
portal, is that possible? Is there a better way to deploy a solution like
that?



Thank you in advance



Luca
luca comes
2017-05-30 08:19:03 UTC
Permalink
Hi Pedro,

don't worry you were really useful instead because you put me on the right way 😊


Luca


Inviato da Outlook<http://aka.ms/weboutlook>


________________________________
Da: Pedro Simões <***@layer8.pt>
Inviato: lunedì 29 maggio 2017 19:13
A: packetfence-***@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] mab+802.1x authentication


Hi Luca,



I’m sorry if I can’t be of more help.

I actually have a 802.1x deployment with machine authentication in production but that one doesn’t go through packetfence -> it works directly with NPS. (And yes, in that case different profiles are configured in NPS for machine and user authentication. They are not mutually exclusive in NPS).

The packetfence deployment I have is mainly for guest access.



Pedro



From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 4:34 PM
To: packetfence-***@lists.sourceforge.net
Subject: Re: [PacketFence-users] mab+802.1x authentication



Hi Pedro,

yes I think so but I don't understand how to do this. I need to do a new connection profile for it? At the moment I have only one connection profile other than the default that take care of users. I'm really confused.



Thanks



Luca



Inviato da Outlook<http://aka.ms/weboutlook>



________________________________

Da: Pedro Simões <***@layer8.pt<mailto:***@layer8.pt>>
Inviato: lunedì 29 maggio 2017 17:06
A: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Oggetto: Re: [PacketFence-users] mab+802.1x authentication



I think for that scenario you need to use machine authentication.



From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Subject: [PacketFence-users] mab+802.1x authentication



Hi all,

I succesfully configured last release of PF with Cisco Catalyst 3750G to perform 802.1x authentication over my AD Domain.

I'm studying the solution because the intention is to deploy it on all my sites (more or less 15 sites and 1000 users). Actually the server is located on our datacenter in out-of-band deployment and locally on my test site I've configured registration and isolation VLAN even if they are not used in 802.1x environment. The problem now is that I need to permit AD authentication on PC's where credentials are not in client's cache but at the begininning neither IP traffic nor DHCP is permitted so users can't access the network. I thought that a solution could be perform to factor authentication so at the start of the process I could use MAB authentication and put them on the registration VLAN opened to access the AD. But then I need to do 802.1x user authentication without pass through the registration portal, is that possible? Is there a better way to deploy a solution like that?



Thank you in advance



Luca
Pedro Simões
2017-05-29 15:08:19 UTC
Permalink
I think for that scenario you need to use machine authentication.



From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To: packetfence-***@lists.sourceforge.net
Subject: [PacketFence-users] mab+802.1x authentication



Hi all,

I succesfully configured last release of PF with Cisco Catalyst 3750G to
perform 802.1x authentication over my AD Domain.

I'm studying the solution because the intention is to deploy it on all my
sites (more or less 15 sites and 1000 users). Actually the server is located
on our datacenter in out-of-band deployment and locally on my test site I've
configured registration and isolation VLAN even if they are not used in
802.1x environment. The problem now is that I need to permit AD
authentication on PC's where credentials are not in client's cache but at
the begininning neither IP traffic nor DHCP is permitted so users can't
access the network. I thought that a solution could be perform to factor
authentication so at the start of the process I could use MAB authentication
and put them on the registration VLAN opened to access the AD. But then I
need to do 802.1x user authentication without pass through the registration
portal, is that possible? Is there a better way to deploy a solution like
that?



Thank you in advance



Luca
Pedro Simões
2017-05-29 16:19:44 UTC
Permalink
This might help also:
https://support.microsoft.com/en-us/help/929847/how-to-enable-computer-only-
authentication-for-an-802.1x-based-network-in-windows-vista,-in-windows-serv
er-2008,-and-in-windows-xp-service-pack-3


From: Antoine Amacher [mailto:***@inverse.ca]
Sent: Monday, May 29, 2017 4:55 PM
To: packetfence-***@lists.sourceforge.net
Subject: Re: [PacketFence-users] mab+802.1x authentication

Hello Lucas,

To use MachineAuthentication, create an AD source like the one used for your
UserAuthentiction, replace the Username attribute: "sAMAccountName" by
"ServicePrincipalName". That will allow you to do MachineAuthentication.
Make sure to add this source on your connection profile.

If the machine is in the domain with a valid machine account then it will be
able to authenticate.

To properly test MachineAuthentication, make sure that it is allowed or
enforced in the 802.1x supplicant configuration.

Thanks

On 05/29/2017 11:34 AM, luca comes wrote:
Hi Pedro,
yes I think so but I don't understand how to do this. I need to do a new
connection profile for it? At the moment I have only one connection profile
other than the default that take care of users. I'm really confused.

Thanks

Luca

Inviato da Outlook

________________________________________
Da: Pedro Simões <***@layer8.pt>
Inviato: lunedì 29 maggio 2017 17:06
A: packetfence-***@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] mab+802.1x authentication
 
I think for that scenario you need to use machine authentication.
 
From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To: packetfence-***@lists.sourceforge.net
Subject: [PacketFence-users] mab+802.1x authentication
 
Hi all,
I succesfully configured last release of PF with Cisco Catalyst 3750G to
perform 802.1x authentication over my AD Domain. I'm studying the solution
because the intention is to deploy it on all my sites (more or less 15 sites
and 1000 users). Actually the server is located on our datacenter in
out-of-band deployment and locally on my test site I've configured
registration and isolation VLAN even if they are not used in 802.1x
environment. The problem now is that I need to permit AD authentication on
PC's where credentials are not in client's cache but at the begininning
neither IP traffic nor DHCP is permitted so users can't access the network.
I thought that a solution could be perform to factor authentication so at
the start of the process I could use MAB authentication and put them on the
registration VLAN opened to access the AD. But then I need to do 802.1x user
authentication without pass through the registration portal, is that
possible? Is there a better way to deploy a solution like that?
 
Thank you in advance
 
Luca



----------------------------------------------------------------------------
--
Check out the vibrant tech community on one of the world's most engaging
tech sites, Slashdot.org! http://sdm.link/slashdot



_______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
Pedro Simões
2017-05-29 16:26:35 UTC
Permalink
This might help also:
https://support.microsoft.com/en-us/help/929847/how-to-enable-computer-only-
authentication-for-an-802.1x-based-network-in-windows-vista,-in-windows-serv
er-2008,-and-in-windows-xp-service-pack-3

PS: I apologize in advance if multiple messages were received in the
mailinglist. I seem to be having some trouble getting emails through.


From: Antoine Amacher [mailto:***@inverse.ca]
Sent: Monday, May 29, 2017 4:55 PM
To: packetfence-***@lists.sourceforge.net
Subject: Re: [PacketFence-users] mab+802.1x authentication

Hello Lucas,

To use MachineAuthentication, create an AD source like the one used for your
UserAuthentiction, replace the Username attribute: "sAMAccountName" by
"ServicePrincipalName". That will allow you to do MachineAuthentication.
Make sure to add this source on your connection profile.

If the machine is in the domain with a valid machine account then it will be
able to authenticate.

To properly test MachineAuthentication, make sure that it is allowed or
enforced in the 802.1x supplicant configuration.

Thanks

On 05/29/2017 11:34 AM, luca comes wrote:
Hi Pedro,
yes I think so but I don't understand how to do this. I need to do a new
connection profile for it? At the moment I have only one connection profile
other than the default that take care of users. I'm really confused.

Thanks

Luca

Inviato da Outlook

________________________________________
Da: Pedro Simões <***@layer8.pt>
Inviato: lunedì 29 maggio 2017 17:06
A: packetfence-***@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] mab+802.1x authentication
 
I think for that scenario you need to use machine authentication.
 
From: luca comes [mailto:***@hotmail.it]
Sent: Monday, May 29, 2017 3:12 PM
To: packetfence-***@lists.sourceforge.net
Subject: [PacketFence-users] mab+802.1x authentication
 
Hi all,
I succesfully configured last release of PF with Cisco Catalyst 3750G to
perform 802.1x authentication over my AD Domain. I'm studying the solution
because the intention is to deploy it on all my sites (more or less 15 sites
and 1000 users). Actually the server is located on our datacenter in
out-of-band deployment and locally on my test site I've configured
registration and isolation VLAN even if they are not used in 802.1x
environment. The problem now is that I need to permit AD authentication on
PC's where credentials are not in client's cache but at the begininning
neither IP traffic nor DHCP is permitted so users can't access the network.
I thought that a solution could be perform to factor authentication so at
the start of the process I could use MAB authentication and put them on the
registration VLAN opened to access the AD. But then I need to do 802.1x user
authentication without pass through the registration portal, is that
possible? Is there a better way to deploy a solution like that?
 
Thank you in advance
 
Luca



----------------------------------------------------------------------------
--
Check out the vibrant tech community on one of the world's most engaging
tech sites, Slashdot.org! http://sdm.link/slashdot



_______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
Loading...