Hello Heiko, Few questions:
Are you currently using EAP TLS for you ? Is it wired or wireless access ? I will assume it’s wired but I prefer to ask. If it’s wired, you actually choose the method of authentication on the switch port configuration. Even if they have 802.1x configuration at the NIC level it would do Mac authentication if you tell it to. If you are not already using EAP TLS for your network, you could create a new EAP TLS profile that server a certificate from a Root CA that they already trust. Example: EAP PEAP = Your RADIUS certificate EAP TLS = CompanyA RADIUS certificate Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Sep 6, 2021, at 8:38 AM, Matthies, Heiko via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hello, > > I'm looking for a way to integrate devices from partner companies into our > network. I planned to provide a extra VLAN at every site which allows nothing > but basic internet access without a captive portal. > They normally use certificate based authentication via EAP-TLS which leads me > to my problem: > - By default, Windows is configured to ignore certificate handshakes with > RADIUS servers it does not trust. As the devices were provisioned by third > party companies there is no way that their configiuration would trust my self > signed RADIUS certificates > - I tried working around this issue by providing MAB authentication but the > devices seem to notice that their preferred authentication method (dot1x) > fails and just try it again after some cooldown time -> this behavior leads > to reoccuring disconnects from the network (I've already set the > reauthenticate timer to 23 hours so the reauthentication would not accur > during business times) > > What is the best way to handle this kind of device? The notebooks sadly don't > support captive portal (because they require a VPN tunnel before any kind of > web traffic is allowed) which is why they can't use our Guest-Wifi. > > If you need any more information, feel free to ask. > Thank you! > > Greetings > > Heiko > > > ASAP Engineering GmbH?Sachsstra?e?1A?|?85080?Gaimersheim > Tel. +49 (8458) 3389 0?|?Fax. +49 (8458) 3389 399 > heiko.matth...@asap.de?|?https://urldefense.com/v3/__http://www.asap.de__;!!GjvTz_vk!BInHwjOp8FNh_IY9rHWQT33HfPG3j0iqBkKU_tIgjvK4t78nppH1UQvBvcOXsDsz$ > > > Gesch?ftsf?hrer: Michael Neisen,?Robert Werner,?Christian Schweiger?| Sitz > der Gesellschaft:?Gaimersheim | Amtsgericht:?Ingolstadt HRB 5408 > > Datenschutz: Ausf?hrliche Informationen zum Umgang mit Ihren > personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter > www.asap.de\datenschutz. > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!BInHwjOp8FNh_IY9rHWQT33HfPG3j0iqBkKU_tIgjvK4t78nppH1UQvBvWhhGwRR$ >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
