Hello PF gurus,
I'm testing PF 6.5.0 with an HP E5500 switch. My requirement is to provide
wired 802.1X port security across all network switches. So far, I have tested
this successfully on an HP test switch. Authentication is done via device
certificates on Windows client machines against Windows AD using EAPTLS. The
correct data vlan is returned for the switch port. I have also successfully
tested authentication with user certificates over EAPTLS and with just user AD
accounts but will be using device certificates in the production network.
I have an issue with controlling admin-level access to the switch CLI in ssh
sessions. I have set cliAccess=Y in switch.conf but this allows ANY
authenticated user with an ssh client to get to the switch login prompt. I need
to lock this down for security reasons. I have no users defined locally in PF
so I would prefer to restrict access to a few specific domain users
(specifically, network support users). I already have an AD security group
which contains network support staff users. Is it possible to assign
admin-level access based on either an AD group or even by individual users?
Also, when a user logs into the switch they have only basic access so can view
the basic switch settings but cannot make any configuration changes or save
them. I know that this is down to the access level allowed on the switch but
what do I need to configure to return the correct admin-level access to network
support staff? I assume I'm going to need to configure a VSA but I haven't
found any similar problems in the support forum to point me in the right
direction.
Thanks
Steve
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
