It's the Checkpoint who does the redirection for URL traffic. The firewall is
located at the entrance of the datacenter and every users located in different
sites in the province pass through it. Then, it's all layer 3 (IP). There is no
MAC address that Checkpoint nor Packetfence can be aware of. I don't know which
parameters are attached to the redirected URL, at least the original URL, since
I have to setup the PoC.
Unfortunately, I don't find any reference with the specific setup that we plan.
All information are based on traditional NAC setup, where a controler
dynamically modified VLAN configurations on edge switches. In our case, the
enforcement should be done at the IP layer and applied by the fw. Checkpoint
provide a captive portal but it isn't able to authenticate against external
sources (Google, Facebook, etc). My customer doesn't want to provide accounts
for the consultants or any other temporary personal on their own AD.
I have the same challenge with ClearPass that I must test.
Merci Fabrice
Benoît
________________________________
De : Durand fabrice via PacketFence-users
<[email protected]>
Envoyé : 7 décembre 2017 21:09
À : [email protected]
Cc : Durand fabrice
Objet : Re: [PacketFence-users] PoC: Social Login from Captive Portal and
Firewall (Checkpoint) Enforcement
Does the redirection contain the mac address of the device, do you have an
example of the url with all the parameters ? (any documentation)
If there is no mac in the url then you will need to send a copy of the dhcp
traffic to PacketFence.
Also for social login you will need to allow the access to facebook/google/..
websites.
Le 2017-12-07 à 21:03, Benoît Dubé via PacketFence-users a écrit :
With Checkpoint's Identity Awareness, HTTP or HTTPS for unknown users (AD point
of view) are redirected to a captive portal URL.
Merci Fabrice
Envoyé à partir d’Outlook<http://aka.ms/weboutlook>
________________________________
De : Durand fabrice via PacketFence-users
<[email protected]><mailto:[email protected]>
Envoyé : 7 décembre 2017 20:26
À :
[email protected]<mailto:[email protected]>
Cc : Durand fabrice
Objet : Re: [PacketFence-users] PoC: Social Login from Captive Portal and
Firewall (Checkpoint) Enforcement
Hello Benoît,
my question is how the Checkpoint firewall will redirect the external devices
on the captive portal ?
Regards
Fabrice
Le 2017-12-06 à 11:58, Benoît Dubé via PacketFence-users a écrit :
Hi everyone,
I need to do a proof of concept to authenticate external users, in a BYOD use
case, with their social login and/or their own entreprise accounts if they have
MS AD and make the enforcement with the Checkpoint Firewall. The most important
part is with social login.
Here is what I think of:
- Every user's traffic go to the inline firewall, mainly from a wired connection
- Internal users are identifier against their AD based on Checkpoint Identity
Awareness (AD Query)
- External users are redirected to a captive portal. This is where Packetfence
comes to play
- Externel users registered to Packetfence which authenticate them to social
login services
- If social authentication succeed, a sponsorship feature send a message to a
defined sponsor who accept or deny the user. The sponsor should be able to set
the role/group for each user.
- Packetfence should keep user information to manage future access.
- Later, when a registrered user is redirected to the Captive Portal
(PacketFence) for identification, Packetfence should authenticate against
social login service, and if succeed, sends Radius accounting data to the
Checkpoint to give him network access based on the policy defined in the
Checkpoint. Checkpoint R80 should also receive and parse the group information
from PacketFence within the Radius accounting. This group information is
related to the role/group defined by the sponsor when users register.
As you can see, there is no 802.1x involved, nor VLAN assignment/enforcement.
Enforcement is apply by the firewall.
Is it a possible use case for PacketFence ? If yes, what are the main steps to
configure this ?
Benoît
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
