Hello Durand, Thank you very much for your reply.

I have a question about you reply and hope I can get your further help.

For identification part, you said we can use 802.1x+mab. I don’t understand why 
we need mab. Our current environment is already using 802.1x via cisco acs, and 
mab is not enabled in our current environment and it also works well.
Or did I misunderstanding something, you mean use 802.1x for the normal office 
users and use mab for those VoIP and printers ?

Our requirement:
―802.1x based on user info from AD source or based on device’s MAC address.

Your reply:802.1x and mac auth bypass seems to be ok for both.

For compliance check part, our AD servers are controlled by another team and We 
are not so familiar about this part’s setup, and neither do another team. Do 
you have any setup suggestion or setup guidance or sample or something on how 
to use WMI checking if specific software installed in a device ?
And another solution we thought is : Keep monitoring PF syslog, once find a 
device passed 802.1x, immediately send a controlled-device check request to our 
antivirus server(there is a condition here:if a device has installed our 
antivirus agent , it must be found in our antivirus server), if the check 
response is yes, we’ll know this device has installed the agent, and then we 
can move it to normal VLAN, otherwise redirect a portal to user with the 
remediation solution for him.

2.Compliance and health check when registering to office network.
―When a device logs in, checking if the device has installed our official
antivirus software before giving the device normal network’s access.Isolated
the device from normal inner network but gives it restricted network access so
that they can have a way to install the required software.

Your reply:wmi scan

For this part our thinking solution is the same as you mentioned: Once our 
antivirus server find a dangerous device, send an alert syslog to PF, PF use 
the received alert syslog to trigger a violation and to do the next control. 
Hope it works.

3.Isolation dangerous device from normal network
―When our antivirus agent find some threat exists in the device, update the
device’s VLAN to an isolation VLAN so that the threat won’t spread to other
inner network.

Your reply:you need to find a way to trigger a webservice api call from the 
antivirus management console or send the syslog to packetfence.

Finally, when PF do the 802.1x authentication, can we trigger wmi scan in the 
mean time ? We want to use pf as our weapon to force people install our 
security agent before he can get normal network access.
Or if not happening in the same time, after every device passed 802.1x auth, we 
just put it in evaluation VLAN(with limit network access), and trigger a 
violation to do the WMI scan when a device found in evaluation VLAN, if the 
device has installed the agent, move the device to normal VLAN, others redirect 
url to tell this user he should install our agent first, and give a link in url 
for his to download agent.

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
PacketFence-users mailing list

Reply via email to