In addition, if any of the authorized user bring their personal device such
as mobile/IPAD/tablet/laptops, because since they already have 802.1x AD
account in the company, so that they can easily setup 802.1x settings
themselves and access granted.
Endpoint profiling/classification will have more flexibility and ease
configuration.
Something similar to this:
PF detects any BYOD that aren't authorized, put them into registration.
I have no idea how to deal with this objective, by using traditional 802.1x
or WMI or Violation?
I would prefer Violation, because it can operate dynamically by the design
i guess. for example: PF detect domain computers, put them normal vlan,
otherwise put them in Registration vlan.
So how can I achieve this goal?
Thank you.
Regards,
Reeyon
On Thu, Feb 4, 2016 at 10:16 AM, Reeyon Lim <reeyon...@gmail.com> wrote:
> Hello Fabrice,
>
> From the windows supplicant, by default "user and computer authentication"
> was chosen in 802.1x settings.
>
> Does PF provides other better solution for 802.1x authentication for BYOD?
>
> Regards,
> Reeyon
>
> On Wed, Feb 3, 2016 at 11:55 PM, Fabrice DURAND <fdur...@inverse.ca>
> wrote:
>
>> You talked about netbios name, not dns name.
>>
>> In PacketFence, freeradius validate the machine name
>> (host/FMCART310-15.domain.com) and in PacketFence side we have to create
>> another authentication source with the user attribute
>> servicePrincipalName.
>>
>> Check in your AD for a machine account (Adsiedit.msc) in the attribute
>> servicePrincipalName and you will see the complete dns name of the
>> machine.
>>
>> So the only limit is 64 characteres of the dns name.
>>
>> Regards
>> Fabrice
>>
>> Le 2016-02-03 10:16, Tedder, Eric a écrit :
>> > Fabrice,
>> >
>> > I am not certain how you get it to work after 15 characters, but
>> everything I read and have experienced with AD and hostnames being longer
>> than 14/15 characters is that they don't authenticate because AD will
>> truncate them.
>> >
>> > https://support.microsoft.com/en-us/kb/909264
>> > https://technet.microsoft.com/en-us/library/cc731383.aspx
>> >
>> https://supportforums.cisco.com/discussion/12299256/ise-admin-server-16-character-hostname
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Fabrice DURAND [mailto:fdur...@inverse.ca]
>> > Sent: Wednesday, February 03, 2016 9:17 AM
>> > To: packetfence-users@lists.sourceforge.net
>> > Subject: Re: [PacketFence-users] machine authentication
>> >
>> > There is no limit of 14 characters, i have machine auth with more than
>> > 30 characters and there is no issue.
>> >
>> > Also did you checked that the client do machine auth ? (windows
>> supplicant)
>> >
>> > Regards
>> > Fabrice
>> >
>> > Le 2016-02-03 08:52, Tedder, Eric a écrit :
>> >> The one limitation that I have found with computer authentication with
>> >> packet fence and Active directory is that the computer name cannot
>> >> exceed 14 characters or it breaks.
>> >>
>> >>
>> >>
>> >> *From:*Reeyon Lim [mailto:reeyon...@gmail.com]
>> >> *Sent:* Tuesday, February 02, 2016 9:39 PM
>> >> *To:* packetfence-users@lists.sourceforge.net
>> >> *Subject:* Re: [PacketFence-users] machine authentication
>> >>
>> >>
>> >>
>> >> Hello Fabrice,
>> >>
>> >>
>> >>
>> >> Now i restarted the config from scratch.
>> >>
>> >>
>> >>
>> >> 0. wipe out existing parameters in vlan_filters.conf
>> >>
>> >> 1. Created AD-computer source, according to the Administration Guide.
>> >>
>> >> 2. Map this source to 802.1x portal profile.
>> >>
>> >> 3. run raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600
>> >>
>> >> 4. I can't see any "host/xxxxxx" in debug, but I see "domain\username"
>> >>
>> >>
>> >>
>> >> So I guess the computer is authenticating user credentials instead of
>> >> machine auth.
>> >>
>> >>
>> >>
>> >> Anything that I've missed out?
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Regards,
>> >>
>> >> Reeyon
>> >>
>> >>
>> >>
>> >> On Tue, Feb 2, 2016 at 10:53 PM, Fabrice DURAND <fdur...@inverse.ca
>> >> <mailto:fdur...@inverse.ca>> wrote:
>> >>
>> >> Hello Reeyon,
>> >>
>> >> Le 2016-02-02 02:12, Reeyon Lim a écrit :
>> >>> Hello Everyone,
>> >>>
>> >>> Sorry for my multiples questions recently.
>> >> No problem , the mailling list is for that.
>> >>> I have been setting up a 802.1x authentication for the lab, but i
>> >>> need to do more secure of 802.1x authentication where I found
>> >>> machine authentication in the Administration guide.
>> >>>
>> >>> Tried to follow every steps in the guide, but failed to make it work.
>> >>> I do not find any logs in packetfence.log like "host/xxxxxx", and pf
>> >>> just push the domain PC to RegistrationRole without authentication.
>> >> Check first in the radius.log or run radius in debug mode to see why
>> >> machine auth failed (raddebug -f /usr/local/pf/var/run/radiusd.sock -t
>> >> 3000).
>> >> When you will be able to successfully authenticate machine in
>> >> freeradius then you will be able to see in packetfence.log username
>> >> like host/xxxxxx
>> >>> I have 2 source lists: ad-user, and ad-computers These two lists
>> >>> mapped to 802.1x portal profile.
>> >>>
>> >>> The objective here is to block any non-domain of BYOD to be able to
>> >>> access the network, except domain machines and users.
>> >>>
>> >> Next you will have to deal with vlan filter to test if machine auth
>> >> passed before user auth.
>> >>> Please help!
>> >>> Thank you.
>> >>>
>> >>> Regards,
>> >>> Reeyon
>> >>>
>> >>>
>> >> Regards
>> >> Fabrice
>> >>
>> >>>
>> >> ----------------------------------------------------------------------
>> >> --------
>> >>> Site24x7 APM Insight: Get Deep Visibility into Application
>> >>> Performance APM + Mobile APM + RUM: Monitor 3 App instances at just
>> >>> $35/Month Monitor end-to-end web transactions and take corrective
>> >>> actions now Troubleshoot faster and improve end-user experience.
>> Signup Now!
>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> PacketFence-users mailing list
>> >>> PacketFence-users@lists.sourceforge.net
>> >> <mailto:PacketFence-users@lists.sourceforge.net>
>> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >>
>> >> --
>> >> Fabrice Durand
>> >> fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918
>> >> <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
>> >> <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo
>> >> (http://www.sogo.nu) and PacketFence (http://packetfence.org)
>> >>
>> >>
>> >> ----------------------------------------------------------------------
>> >> --------
>> >> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> >> Monitor end-to-end web transactions and take corrective actions now
>> >> Troubleshoot faster and improve end-user experience. Signup Now!
>> >> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> >> _______________________________________________
>> >> PacketFence-users mailing list
>> >> PacketFence-users@lists.sourceforge.net
>> >> <mailto:PacketFence-users@lists.sourceforge.net>
>> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ----------------------------------------------------------------------
>> >> --------
>> >> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> >> Monitor end-to-end web transactions and take corrective actions now
>> >> Troubleshoot faster and improve end-user experience. Signup Now!
>> >> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> >>
>> >>
>> >> _______________________________________________
>> >> PacketFence-users mailing list
>> >> PacketFence-users@lists.sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >
>> > --
>> > Fabrice Durand
>> > fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> > Monitor end-to-end web transactions and take corrective actions now
>> > Troubleshoot faster and improve end-user experience. Signup Now!
>> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> > _______________________________________________
>> > PacketFence-users mailing list
>> > PacketFence-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice Durand
>> fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
