Thanks for the swift response. PKI in use is dogtag as part of the FreeIPA/IdM suite. We're using host certs there though, so don't have any user identifying attributes baked into the certs which we can use to do the dot1x recompute role magic.
That's kind of why I was hoping we can do an auth triggered, or even CRONd recompute using the PID/user that packetfence already has stored for the node against the working LDAP sources we have for role assignment. Does this make sense? Thanks, David On Fri, Jul 30, 2021 at 1:54 PM Zammit, Ludovic <luza...@akamai.com> wrote: > Hello David, > > Using EAP TLS is different from EAP PEAP because in EAP TLS we don’t trust > the username sent by the device since it can be changed on the fly. > > PF will trust attributes from the certificate like: > > PacketFence-UserNameAttribute > TLS-Client-Cert-Subject-Alt-Name-Upn > TLS-Client-Cert-Common-Name > > (Configuration > System Configuration > RADIUS > General) > > Which PKI are you using ? > > If you are using the AD CS, the username would like a DN, so in your LDAP > source switch from samaccountname look up to dishtinguishedName. > > Thanks, > > *Ludovic Zammit* > *Product Support Engineer Principal* > *Cell:* +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com> > <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> > <http://www.linkedin.com/company/akamai-technologies> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > > On Mar 11, 2021, at 2:45 PM, David Harvey <da...@thoughtmachine.net> > wrote: > > Hi again! > > 802.1x (EAP-TLS), but with machine certificates so there isn't a user > attribute that's currently clearly associated with the certificates.. > Thanks as ever, > > David > > On Thu, 11 Mar 2021, 13:08 Ludovic Zammit, <lzam...@inverse.ca> wrote: > >> Hello David, >> >> Are you doing 802.1x or Mac authentication ? >> >> Thanks, >> >> >> Ludovic Zammit >> lzam...@inverse.ca :: +1.514.447.4918 (x145) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> >> >> >> On Mar 11, 2021, at 7:44 AM, David Harvey <da...@thoughtmachine.net> >> wrote: >> >> Thanks Ludovic, >> >> I've been having some difficulty on the bulk import of users to ensure >> they're created, but that's another problem for another thread ;) >> For existing users if I import using the `./pfcmd import nodes` method I >> still have to pick between them using a default role value , or specifying >> it in the csv directly. >> ```[default-role=<role>] is the default role when none is defined via >> the import file. >> When none is specified, it defaults to node_import.category in >> pf.conf >> >> Is there a way to ensure that an updated node keeps its current role or >> recalculates against the owner? >> >> Thanks again for your help, >> David >> >> On Mon, Mar 8, 2021 at 8:02 PM Ludovic Zammit <lzam...@inverse.ca> wrote: >> >>> Hello David, >>> >>> Make sure all those users are already created before the import or use >>> “default”. >>> >>> Thanks, >>> >>> >>> Ludovic Zammit >>> lzam...@inverse.ca :: +1.514.447.4918 (x145) :: www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> >>> >>> >>> >>> >>> >>> On Feb 26, 2021, at 12:31 PM, David Harvey via PacketFence-users < >>> packetfence-users@lists.sourceforge.net> wrote: >>> >>> Experimenting on the same topic I have also found inconsistent behaviour >>> with "./pfcmd import nodes /tmp/testimport.csv columns=mac,pid,category" >>> >>> 00:54:E8:61:32:00,auser,developer >>> 00:F0:5D:18:93:00,anotheruser,developer >>> 00:9a:4c:51:b7:00,andanotherone,developer >>> 00:d8:00:e8:a5:00,opsuser,ops >>> >>> It seems to only set the role (category) every second run if they're all >>> the same role, on alternate runs it unsets role altogether for the nodes. >>> If I attempt a mix of roles is seems to set one role type and unsets the >>> other! >>> I hope that I can avoid setting the role here altogether given my >>> initial query on using the existing source and mechanisms, but thought it >>> worth mentioning. >>> >>> pf 10.2.0 On Debian 9.13 >>> Thanks, >>> David >>> >>> On Fri, Feb 26, 2021 at 2:59 PM David Harvey <da...@thoughtmachine.net> >>> wrote: >>> >>>> Dear Packetfence users, >>>> >>>> I'm looking for advice on updating my node owners whilst preserving or >>>> recalculating roles. >>>> With many new users working from home, their nodes have been registered >>>> as a default owner, with the role being manually set. Although I have a >>>> configured LDAP source which applies roles correctly to portal users, the >>>> users haven't been present to login through the portal. >>>> >>>> I'm looking to update the ownership with asset data that maps MAC to >>>> user using /pfcmd import nodes, but to do so requires the roles to be >>>> available on the csv file, or otherwise to set a default value. >>>> >>>> Is there a way to recalculate the role for a node from its owner >>>> information using an existing LDAP authentication source? Sadly I don't >>>> think I can use "dot1x recompute role from portal" as my my certs are >>>> machine certs and don't have the owner/pid present. I"ve been struggling to >>>> find info on the "MAC auth computer role from portal" option. >>>> >>>> Thanks in advance, >>>> >>>> David >>>> >>>> >>>> -- >>>> Data Classification: Public >>>> >>>> >>> >>> -- >>> >>> >> >> >> Thought Machine Group a limited company registered in England & Wales. >> Registered number: 11114277. >> Registered Office: 5 New Street Square, London EC4A 3TW >> <https://maps.google.com/?q=5+New+Street+Square,+London+EC4A+3TW&entry=gmail&source=g> >> . >> >> The content of this email is confidential and intended for the recipient >> specified in message only. It is strictly forbidden to share any part of >> this message with any third party, without a written consent of the sender. >> If you received this message by mistake, please reply to this message and >> follow with its deletion, so that we can ensure such a mistake does not >> occur in the future. >> >> >> > Thought Machine Group a limited company registered in England & Wales. > Registered number: 11114277. > Registered Office: 5 New Street Square, London EC4A 3TW > <https://maps.google.com/?q=5+New+Street+Square,+London+EC4A+3TW&entry=gmail&source=g> > . > > The content of this email is confidential and intended for the recipient > specified in message only. It is strictly forbidden to share any part of > this message with any third party, without a written consent of the sender. > If you received this message by mistake, please reply to this message and > follow with its deletion, so that we can ensure such a mistake does not > occur in the future. > > > Data Classification: Public *Web*: www.thoughtmachine.net -- Thought Machine Group a limited company registered in England & Wales. Registered number: 11114277. Registered Office: 5 New Street Square, London EC4A 3TW <https://maps.google.com/?q=5+New+Street+Square,+London+EC4A+3TW&entry=gmail&source=g>. The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
