> On Mar 1, 2016, at 16:25 , BARÓCSI Gábor <[email protected]> wrote:
>
> Please help me understand Packetfence philosophy. I see that you are very
> helpful in the mail list. I just need you to give me some push to the right
> direction :) Let me describe the situation. We have a working network, with a
> windows AD. I prepared a switch for testing (in production mode), with
> isolation, registration, management vlans.
> I run Packetfance on a physical machine. I did set up the switch to
> communicate with pcketfence by radius.
> Now, if I connect a notebook to the switch, it is sending the mac address of
> the client to packetfence, then pf sets the port to the registration vlan and
> the client gets and IP address from the registration subnet pool.
What you describe here is called MAC authentication (over RADIUS).
> I set up pf to our domain network. I set up realm, also I set up source as AD
> validation (first I want to check if user or computer is member of a group or
> member of AD).
>
> My main problem is that can I somehow avoid the registration through captive
> portal? Can the username/password or computer/hostname be used as an
> authentication? I just want to avoid all users to have to manually
> authenticate on the captive portal. Is that possible? I hope yes, as
> packetfence can query the AD domain. Packetfence is also joined to the
> windows domain.
Yes. That’s possible.
But not with MAC authentication.
You need to configure the switch to use 802.1x.
Then the windows supplicant can send the username and a password hash which can
be checked against AD.
Make sure the windows supplicant service is running.
You can then define a VLAN filter to automatically register the user if the
credentials are valid.
Look into conf/vlan_filters.conf.example.
> My next step would be to manage this work on wifi, we have Ruckus AP's with
> zonedirector. (It worked fine with windows NAP)
> Next, How can I set up to check if user is member of group?
Configure rules under your Active-Directory source in PacketFence to check for
them using LDAP.
> And how can I check state of Firewall, antivirus and so?
Not with PacketFence.
That is something else entirely, and requires an agent running on the
connecting device.
PacketFence does integrate with some Mobile Device Management software, notably
OPSWat.
> Can I be checked before the access to the network? I just want to avoid
> logging into a captive portal as it takes time for the users! This would
> remain for mobile or guests. We can force users to set 802.1x authentication
> for the network interface it is not a problem. There we can set network
> authentication method like PEAP or EAP-MSCHAP v2.
What you want is called autoregistration.
Configure 802.1x, make sure the server is joined to the Active-Directory domain
and configure a VLAN filter using "scope = AutoRegister”.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
