Hello Durand, Thank you very much for your reply.
I have a question about you reply and hope I can get your further help.
For identification part, you said we can use 802.1x+mab. I don’t understand why
we need mab. Our current environment is already using 802.1x via cisco acs, and
mab is not enabled in our current environment and it also works well.
Or did I misunderstanding something, you mean use 802.1x for the normal office
users and use mab for those VoIP and printers ?
—802.1x based on user info from AD source or based on device’s MAC address.
Your reply:802.1x and mac auth bypass seems to be ok for both.
For compliance check part, our AD servers are controlled by another team and We
are not so familiar about this part’s setup, and neither do another team. Do
you have any setup suggestion or setup guidance or sample or something on how
to use WMI checking if specific software installed in a device ?
And another solution we thought is : Keep monitoring PF syslog, once find a
device passed 802.1x, immediately send a controlled-device check request to our
antivirus server(there is a condition here:if a device has installed our
antivirus agent , it must be found in our antivirus server), if the check
response is yes, we’ll know this device has installed the agent, and then we
can move it to normal VLAN, otherwise redirect a portal to user with the
remediation solution for him.
2.Compliance and health check when registering to office network.
—When a device logs in, checking if the device has installed our official
antivirus software before giving the device normal network’s access.Isolated
the device from normal inner network but gives it restricted network access so
that they can have a way to install the required software.
Your reply:wmi scan
For this part our thinking solution is the same as you mentioned: Once our
antivirus server find a dangerous device, send an alert syslog to PF, PF use
the received alert syslog to trigger a violation and to do the next control.
Hope it works.
3.Isolation dangerous device from normal network
—When our antivirus agent find some threat exists in the device, update the
device’s VLAN to an isolation VLAN so that the threat won’t spread to other
Your reply:you need to find a way to trigger a webservice api call from the
antivirus management console or send the syslog to packetfence.
Finally, when PF do the 802.1x authentication, can we trigger wmi scan in the
mean time ? We want to use pf as our weapon to force people install our
security agent before he can get normal network access.
Or if not happening in the same time, after every device passed 802.1x auth, we
just put it in evaluation VLAN（with limit network access）, and trigger a
violation to do the WMI scan when a device found in evaluation VLAN, if the
device has installed the agent, move the device to normal VLAN, others redirect
url to tell this user he should install our agent first, and give a link in url
for his to download agent.
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
PacketFence-users mailing list