Hi Fabrice,
Thanks for your help so far we managed to do alot of progress with regards
to packetfence and DOT1X. I have a small issue with machine authentication
. What i did so far from my end is that i've created a new AD source with a
different base DN for computers and user attribute servicePrincipalName.
Then I created a new Protal Profile with connnection_Type= Ethernet-EAP. I
created a realm host but from the debug the 'Checking for prefix before "\"
is not maching Realm as the username is being sent as host\ . and not
host/ . Any suggestions ?
Regards,
Etienne
On Fri, Nov 25, 2016 at 6:59 PM, Fabrice Durand <[email protected]> wrote:
> Hi Etienne,
>
> Ok so here what you have to do:
>
> Join packetfence to your domain.
>
> Create an authentication source with rule that will assign role based on
> group membership
>
> Create a firewall sso config to send accounting packetfence to your
> fortigate.
>
> That's all, there no need to tell the switch to send accounting packets ,
> PacketFence will do it for you.
>
> If you want i am available on the freenode irc #packetfence channel if you
> want more details.
>
> Regards
>
> Fabrice
>
>
>
> Le 2016-11-25 à 12:30, Etienne Vella a écrit :
>
> Hi Fabrice,
>
>
> The idea is to have a user to login via dot1x (wired/wireless) then
> PacketFence should check with Active Directory re credentials then Before
> authenticating packet fence should check for a particular group to apply
> the vlan allocation rules. Once authenticated the switch would send
> accounting packets to Fortigate firewalls with modified class according
> according to the group which was met in the authentication part.
>
>
> If some one else has a better approach i'm very open for suggestions. At
> the end we would like to have SSO from the network layer 2 till the
> firewall.
>
> Regards,
> Et
>
>
> On Fri, Nov 25, 2016 at 5:30 PM, Fabrice Durand <[email protected]>
> wrote:
>
>> Hi Etienne,
>>
>> Do you have an example of what you want to send and what is the firewall
>> type ?
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2016-11-25 à 11:02, Etienne Vella a écrit :
>>
>> Hi,
>>
>> Thanks for your reply but I'm not able to modify any classes there.
>>
>> Any ideas on how to do class mappings?
>>
>> Regards
>> Et
>>
>> On Fri, 25 Nov 2016, 15:59 Fabrice Durand, <[email protected]> wrote:
>>
>>> Hello Etienne,
>>>
>>> this feature is called firewall sso in PacketFence, have a look in
>>> COnfiguration -> Firewall SSO.
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>>
>>> Le 2016-11-25 à 07:07, Etienne Vella a écrit :
>>>
>>> Hi,
>>>
>>> I'm currently trying to deploy packetfence to be used with DOT1x and
>>> SSO. I managed to configure Rules Under User Sources -> Active Directory.
>>> But I would like to some logic to assign a class in the radius accounting
>>> packets so that the firewall could assign that user to that particular
>>> group. Basically in short I would need to modify the class of the
>>> accounting packets which are being sent to SSO with specific classes
>>> according to specific groups. Basically we are in the process to eliminate
>>> Microsoft NAP for DOT1x
>>>
>>>
>>> Regards,
>>> Etienne
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>> --
>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________ PacketFence-users
>>> mailing list [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________ PacketFence-users
>> mailing list [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Cheers Etienne
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Fabrice [email protected] :: +1.514.447.4918 <(514)%20447-4918>
> (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Cheers
Etienne
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
