Hello Yan,

Le 2017-08-09 à 04:11, Yan Kimiko via PacketFence-users a écrit :
Hello Durand, Thank you very much for your reply.

I have a question about you reply and hope I can get your further help.

For identification part, you said we can use 802.1x+mab. I don’t understand why we need mab. Our current environment is already using 802.1x via cisco acs, and mab is not enabled in our current environment and it also works well. Or did I misunderstanding something, you mean use 802.1x for the normal office users and use mab for those VoIP and printers ?
Yes, by default printers and VoIP are not configured to do 802.1x so it will work with MAB.

    Our requirement:
    1.Identification
    —802.1x based on user info from AD source or based on device’s MAC address.

Your reply:802.1x and mac auth bypass seems to be ok for both.


For compliance check part, our AD servers are controlled by another team and We are not so familiar about this part’s setup, and neither do another team. Do you have any setup suggestion or setup guidance or sample or something on how to use WMI checking if specific software installed in a device ?
You need an account that is allowed to connect on each computers in order to do a wmi scan.
And another solution we thought is : Keep monitoring PF syslog, once find a device passed 802.1x, immediately send a controlled-device check request to our antivirus server(there is a condition here:if a device has installed our antivirus agent , it must be found in our antivirus server), if the check response is yes, we’ll know this device has installed the agent, and then we can move it to normal VLAN, otherwise redirect a portal to user with the remediation solution for him.
Yes it can also work.

    2.Compliance and health check when registering to office network.
    —When a device logs in, checking if the device has installed our official
    antivirus software before giving the device normal network’s access.Isolated
    the device from normal inner network but gives it restricted network access 
so
    that they can have a way to install the required software.

Your reply:wmi scan


For this part our thinking solution is the same as you mentioned: Once our antivirus server find a dangerous device, send an alert syslog to PF, PF use the received alert syslog to trigger a violation and to do the next control. Hope it works.

    3.Isolation dangerous device from normal network
    —When our antivirus agent find some threat exists in the device, update the
    device’s VLAN to an isolation VLAN so that the threat won’t spread to other
    inner network.

Your reply:you need to find a way to trigger a webservice api call from the antivirus management console or send the syslog to packetfence.


Finally, when PF do the 802.1x authentication, can we trigger wmi scan in the mean time ? We want to use pf as our weapon to force people install our security agent before he can get normal network access.
dhcp request trigger a wmi scan, so you need to send the dhcp traffic to packetfence. It is also possible to trigger a violation with the vlan filter when a device connect with 802.1x.
Or if not happening in the same time, after every device passed 802.1x auth, we just put it in evaluation VLAN(with limit network access), and trigger a violation to do the WMI scan when a device found in evaluation VLAN, if the device has installed the agent, move the device to normal VLAN, others redirect url to tell this user he should install our agent first, and give a link in url for his to download agent.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

It looks that you want to configure PacketFence in an advanced mode, in my opinion you can ask inverse for professional consulting. It's not to force you but we can guide you and let you know what is possible or no.

Regards
Fabrice


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to