Hello Wifi,
Le 18-12-03 à 09 h 18, Wifi Guy via PacketFence-users a écrit :
Hi All,
I seem to now have this working to a degree.....
I have two authentication sources setup. One for servicePrincipalName
and one for sAMAccountName. So if a windows machine is booted up, pre
any login/sign in, machine auth is completed and a role is assigned.
When the device logs in, another role is set for user auth.
The issue I have with this is that both corp users and BYOD users can
have the TLS certs and gain the same access to the network access. I
cant figure a way to separate this? If corp owned devices had a TLS
cert vs a BYOD device doing MSCHAPv2, could we filter this way? Its
not ideal, would prefer all to be TLS. Could also setup another CA for
BYOD, this is a management overhead! :)
You can create a connection profile and define the sub connection type
as filter and choose the sources you want to use.
So TLS connection profile is for corporate and mschapv2 is for BYOD and
the rules in the authentications sources are not the same.
What would work is for example if you where able to chain the
computer/user auth so if a device was seen to do both then a role
(Corp-Trusted) is set, however if the device went straight to user
auth then a role (BYOD-Trusted) is set. Its not truly chained as it
two separate authentications, but you get the idea. Currently I cant
see any options in authentication rules that would enable this. The
filters are only for matches "all" or "any" there isnt an "and" "or"
option.
If the device already did a machine auth then the machine_account will
be filled
(https://github.com/inverse-inc/packetfence/blob/devel/conf/vlan_filters.conf.example#L258)
so you can play with that to detect corporate machine versus byod.
Im sure im not the first to ask this :)
Regards
Fabrice
On Thu, 29 Nov 2018 at 11:03, Wifi Guy <wifisp...@gmail.com
<mailto:wifisp...@gmail.com>> wrote:
Good Morning all,
I have managed to get very far to date with my installation.
Howver I am struggling with the last piece of the puzzle, how to
handle BYOD device that authenticate via EAP-TLS (onboarding
process) and distinguishing that with corp users.
So I thought the best way to handle this is that for Corp users
that authenticate with EAP-TLS will use Machine Auth and be
assigned into a machine role and other users will be assigned into
a BYOD policy. Is this the best approach?
So to the setup I managed to get a reg vlan setup. This allows
users who are not part of the domain to authenticate via a CWP.
There are provisioners setup to assign the device the TLS cert.
This works great! :)
For my corp machines, currently the GPO etc are setup. User and
computer certs are sent on domain join, so no issues with auto
enrollment. Also the machine has the SSID specified with TLS set
and the option computer authentication selected. In an ideal world
I would be able to chain the authentication (something like
TEAP) where computer auth happens at login and then user auth
happens at login. But I cant see a way to do this without breaking
the BYOD issue?
My question is what should the GUI setup look like? Currently I
have two internal AD sources, one for computer auth
(servicePrincipalName) and one for user auth. For the
documentation its not clear how the connection profiles should
look? What order things should be in and if I am looking at this
the wrong way.
Any advice, help etc would be much helpful.
WiFiGuy
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
