Hi, Thanks for the reply! I hoped that this can be done, the question is how :)
I understand that sending the MAC address is MAC auth. On the switch both MAC and 802.1x are enabled. I can disable MAC auth. " Then the windows supplicant can send the username and a password hash which can be checked against AD. Make sure the windows supplicant service is running." How is it checked? Is it automatically passed to the Domain Controller or something has to be configured? Which service do you mean? I saw there are options for WMI for example to do some checks. Do they work? Thanks! Gábor Barócsi Network and System Engineer From: Louis Munro [mailto:[email protected]] Sent: 2016. március 1. 22:43 To: [email protected] Subject: Re: [PacketFence-users] how EAP works with AD and some basic questions On Mar 1, 2016, at 16:25 , BARÓCSI Gábor <[email protected]> wrote: Please help me understand Packetfence philosophy. I see that you are very helpful in the mail list. I just need you to give me some push to the right direction :) Let me describe the situation. We have a working network, with a windows AD. I prepared a switch for testing (in production mode), with isolation, registration, management vlans. I run Packetfance on a physical machine. I did set up the switch to communicate with pcketfence by radius. Now, if I connect a notebook to the switch, it is sending the mac address of the client to packetfence, then pf sets the port to the registration vlan and the client gets and IP address from the registration subnet pool. What you describe here is called MAC authentication (over RADIUS). I set up pf to our domain network. I set up realm, also I set up source as AD validation (first I want to check if user or computer is member of a group or member of AD). My main problem is that can I somehow avoid the registration through captive portal? Can the username/password or computer/hostname be used as an authentication? I just want to avoid all users to have to manually authenticate on the captive portal. Is that possible? I hope yes, as packetfence can query the AD domain. Packetfence is also joined to the windows domain. Yes. That’s possible. But not with MAC authentication. You need to configure the switch to use 802.1x. Then the windows supplicant can send the username and a password hash which can be checked against AD. Make sure the windows supplicant service is running. You can then define a VLAN filter to automatically register the user if the credentials are valid. Look into conf/vlan_filters.conf.example. My next step would be to manage this work on wifi, we have Ruckus AP's with zonedirector. (It worked fine with windows NAP) Next, How can I set up to check if user is member of group? Configure rules under your Active-Directory source in PacketFence to check for them using LDAP. And how can I check state of Firewall, antivirus and so? Not with PacketFence. That is something else entirely, and requires an agent running on the connecting device. PacketFence does integrate with some Mobile Device Management software, notably OPSWat. Can I be checked before the access to the network? I just want to avoid logging into a captive portal as it takes time for the users! This would remain for mobile or guests. We can force users to set 802.1x authentication for the network interface it is not a problem. There we can set network authentication method like PEAP or EAP-MSCHAP v2. What you want is called autoregistration. Configure 802.1x, make sure the server is joined to the Active-Directory domain and configure a VLAN filter using "scope = AutoRegister”. Regards, -- Louis Munro [email protected] :: www.inverse.ca +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
