Hello Martin,
The difference between machine authentication and user authentication is
very minimal.
When you join a windows computer to the domain then in the AD computers
OU you will have a computer account and when you configure your
supplicant to do computer authentication then the username will be
host\computer_name.
With user authentication the only difference us the format of the
username (bob versus host\computer_name).
So you can use 802.1x authentication with peap-mschap v2 even if the
device is not joined to the domain by doing user auth.
Also if you want to do eap-tls then you will need to have the ca public
key of your pki and put it in the file eap.conf (CA_file = /usr/.....ca.pem)
Then if a device do eap-tls with a certificate signed by your pki then
radius will allow the access.
Regards
Fabrice
Le 2018-06-06 à 09:57, Schenkelberg, Martin via PacketFence-users a écrit :
Hi all,
we are using Packetfenc togehter with Aruba and H3C Switches. An i
need some help confugring 8021.x cert authentification for devices not
joned to our Active Directory.
We use Packetfence 8.0.1 ZEN with VLAN Enforcement, the PF is Joined
to our Active Directory.
Mac Auth works fine, 8021x Auth for Domain Computers Works fine but
i hav no idea how to authenticate non domain member devices against
our active directory.
Is this possible, what is needed to get this going.
Here: https://www.msxfaq.de/windows/sicherheit/8021x.htm (German Page)
i found some information about manualy create a device certificate and
a computer object but i was not able to get this
to work.
Someone Ideas?
Thank you
Mit freundlichen Grüßen
*Martin Schenkelberg*
IT Consulting und Services
*H&G Hansen & Gieraths*
EDV Vertriebsgesellschaft mbH
Bornheimer Straße 42-52
D-53111 Bonn
martin.schenkelb...@hug.de <mailto:martin.schenkelb...@hug.de>
www.hug.de
*H&G Hansen & Gieraths EDV Vertriebsgesellschaft mbH,
Postfach 1605, 53006 Bonn, USt.IdNr. DE122121252*
Geschäftsführer: Dr. H. Hellmuth Hansen
Sitz der Gesellschaft: Bonn, Amtsgericht Bonn HR B 4027
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users