Hello Ludovic, this issue regards just the wired access as those devices are unable to use our guest-wifi (which is currently not packetfence based). The customer who provided those devices is very restrictive about the usage outside of their own company network which is why the devices need a VPN connection in order to access any kind of websites -> captive-portal detection does not work correctly on those machines (but this is another topic)
Yes, I think I figured out the correct switchport config for the usage of both internal corporate clients and partner company clients. My goal was to streamline the switchport configs so that most of our switchports would be configured equally and every port provides the same capabilities. I went with putting MAB-auth first and then following with dot1x-auth. This way, those partner devices get processed right away and don’t get to present their certificate. The only downside of this is, that I get two reject events before the accept for my own corporate clients because I disallowed the authentication via MAB for those. Is there a better solution for this (maybe I could ignore MAB request for a specific kind of node-group?) We are currently using EAP-TTLS for our own clients, the partner devices use EAP-TLS. In theory, this would be possible but I doubt that I would get my hands on a certificate from this company, as I said they are very restrictive and I don’t think they would provide something like this for us. I think I will stick to the “authentication order” solution for now, at least for those special clients, but maybe there really is a way to just serve dot1x auth for selected clients without sending a reject first. Thank you! Greetings Heiko [cid:2018_Signatur_ASAP_Engineering_607ba42f-d9c6-4abe-af16-b2b0953d2657.png] [cid:MK_FB_Podcast_20210201_70f02930-dafd-4abf-9139-c2414fbba13c.png]<https://asap.podigee.io/> ASAP Engineering GmbH Sachsstraße 1A | 85080 Gaimersheim Tel. +49 (8458) 3389 0<tel:+49%20(8458)%203389%200> | Fax. +49 (8458) 3389 399<fax:+49%20(8458)%203389%20399> heiko.matth...@asap.de<mailto:heiko.matth...@asap.de> | www.asap.de<http://www.asap.de> Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408 Datenschutz: Ausführliche Informationen zum Umgang mit Ihren personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter Datenschutz.<http://www.asap.de/datenschutz/> Von: Zammit, Ludovic <luza...@akamai.com> Gesendet: Dienstag, 7. September 2021 14:40 An: packetfence-users@lists.sourceforge.net Cc: Matthies, Heiko <heiko.matth...@asap.de> Betreff: Re: [PacketFence-users] Best Practice for devices from partner companies Hello Heiko, Few questions: Are you currently using EAP TLS for you ? Is it wired or wireless access ? I will assume it’s wired but I prefer to ask. If it’s wired, you actually choose the method of authentication on the switch port configuration. Even if they have 802.1x configuration at the NIC level it would do Mac authentication if you tell it to. If you are not already using EAP TLS for your network, you could create a new EAP TLS profile that server a certificate from a Root CA that they already trust. Example: EAP PEAP = Your RADIUS certificate EAP TLS = CompanyA RADIUS certificate Thanks, Ludovic Zammit Product Support Engineer Principal [https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png] Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: [https://www.akamai.com/us/en/multimedia/images/custom/community.jpg]<https://community.akamai.com/>[https://www.akamai.com/us/en/multimedia/images/custom/rss.png]<http://blogs.akamai.com/>[https://www.akamai.com/us/en/multimedia/images/custom/twitter.png]<https://twitter.com/akamai>[https://www.akamai.com/us/en/multimedia/images/custom/fb.png]<http://www.facebook.com/AkamaiTechnologies>[https://www.akamai.com/us/en/multimedia/images/custom/in.png]<http://www.linkedin.com/company/akamai-technologies>[https://www.akamai.com/us/en/multimedia/images/custom/youtube.png]<http://www.youtube.com/user/akamaitechnologies?feature=results_main> On Sep 6, 2021, at 8:38 AM, Matthies, Heiko via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: Hello, I'm looking for a way to integrate devices from partner companies into our network. I planned to provide a extra VLAN at every site which allows nothing but basic internet access without a captive portal. They normally use certificate based authentication via EAP-TLS which leads me to my problem: - By default, Windows is configured to ignore certificate handshakes with RADIUS servers it does not trust. As the devices were provisioned by third party companies there is no way that their configiuration would trust my self signed RADIUS certificates - I tried working around this issue by providing MAB authentication but the devices seem to notice that their preferred authentication method (dot1x) fails and just try it again after some cooldown time -> this behavior leads to reoccuring disconnects from the network (I've already set the reauthenticate timer to 23 hours so the reauthentication would not accur during business times) What is the best way to handle this kind of device? The notebooks sadly don't support captive portal (because they require a VPN tunnel before any kind of web traffic is allowed) which is why they can't use our Guest-Wifi. If you need any more information, feel free to ask. Thank you! Greetings Heiko ASAP Engineering GmbH?Sachsstra?e?1A?|?85080?Gaimersheim Tel. +49 (8458) 3389 0?|?Fax. +49 (8458) 3389 399 heiko.matth...@asap.de<mailto:heiko.matth...@asap.de>?|?https://urldefense.com/v3/__http://www.asap.de__;!!GjvTz_vk!BInHwjOp8FNh_IY9rHWQT33HfPG3j0iqBkKU_tIgjvK4t78nppH1UQvBvcOXsDsz$<https://urldefense.com/v3/__http:/www.asap.de__;!!GjvTz_vk!BInHwjOp8FNh_IY9rHWQT33HfPG3j0iqBkKU_tIgjvK4t78nppH1UQvBvcOXsDsz$> Gesch?ftsf?hrer: Michael Neisen,?Robert Werner,?Christian Schweiger?| Sitz der Gesellschaft:?Gaimersheim | Amtsgericht:?Ingolstadt HRB 5408 Datenschutz: Ausf?hrliche Informationen zum Umgang mit Ihren personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter www.asap.de<http://www.asap.de>\datenschutz. _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!BInHwjOp8FNh_IY9rHWQT33HfPG3j0iqBkKU_tIgjvK4t78nppH1UQvBvWhhGwRR$<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!BInHwjOp8FNh_IY9rHWQT33HfPG3j0iqBkKU_tIgjvK4t78nppH1UQvBvWhhGwRR$>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
