Hello, i believe the solution is to use eap-tls but if they don´t provide the ca certificate of their company then they will have to provide a way to talk to their radius server. (something like eduroam)
The other solution can be to allow the vpn server in the passthrough then if they connect on the guest wifi they will be able to have a vpn connection and surf on internet (not internally). Regards Fabrice Le mer. 8 sept. 2021 à 03:03, Matthies, Heiko via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hello Ludovic, > > > > this issue regards just the wired access as those devices are unable to > use our guest-wifi (which is currently not packetfence based). The customer > who provided those devices is very restrictive about the usage outside of > their own company network which is why the devices need a VPN connection in > order to access any kind of websites -> captive-portal detection does not > work correctly on those machines (but this is another topic) > > > > Yes, I think I figured out the correct switchport config for the usage of > both internal corporate clients and partner company clients. My goal was to > streamline the switchport configs so that most of our switchports would be > configured equally and every port provides the same capabilities. > > I went with putting MAB-auth first and then following with dot1x-auth. > This way, those partner devices get processed right away and don’t get to > present their certificate. > > The only downside of this is, that I get two reject events before the > accept for my own corporate clients because I disallowed the authentication > via MAB for those. Is there a better solution for this (maybe I could > ignore MAB request for a specific kind of node-group?) > > > > We are currently using EAP-TTLS for our own clients, the partner devices > use EAP-TLS. In theory, this would be possible but I doubt that I would get > my hands on a certificate from this company, as I said they are very > restrictive and I don’t think they would provide something like this for us. > > > > I think I will stick to the “authentication order” solution for now, at > least for those special clients, but maybe there really is a way to just > serve dot1x auth for selected clients without sending a reject first. > > > > Thank you! > > > > Greetings > > > > Heiko > > > > > <https://asap.podigee.io/> > > > *ASAP Engineering GmbH* Sachsstraße 1A | 85080 Gaimersheim > Tel. +49 (8458) 3389 0 <+49%20(8458)%203389%200> | Fax. +49 (8458) 3389 > 399 > heiko.matth...@asap.de | www.asap.de > > Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz > der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408 > > Datenschutz: Ausführliche Informationen zum Umgang mit Ihren > personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter > Datenschutz. <http://www.asap.de/datenschutz/> > > *Von:* Zammit, Ludovic <luza...@akamai.com> > *Gesendet:* Dienstag, 7. September 2021 14:40 > *An:* packetfence-users@lists.sourceforge.net > *Cc:* Matthies, Heiko <heiko.matth...@asap.de> > *Betreff:* Re: [PacketFence-users] Best Practice for devices from partner > companies > > > > Hello Heiko, > > > > Few questions: > > > > Are you currently using EAP TLS for you ? > > > > Is it wired or wireless access ? I will assume it’s wired but I prefer to > ask. > > > > If it’s wired, you actually choose the method of authentication on the > switch port configuration. Even if they have 802.1x configuration at the > NIC level it would do Mac authentication if you tell it to. > > > > If you are not already using EAP TLS for your network, you could create a > new EAP TLS profile that server a certificate from a Root CA that they > already trust. > > > > Example: > > > > EAP PEAP = Your RADIUS certificate > > > > EAP TLS = CompanyA RADIUS certificate > > > > Thanks, > > > > *Ludovic Zammit* > *Product Support Engineer Principal* > > *Cell:* +1.613.670.8432 > > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > > Connect with Us: > > <https://community.akamai.com/> <http://blogs.akamai.com/> > <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> > <http://www.linkedin.com/company/akamai-technologies> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > > > > On Sep 6, 2021, at 8:38 AM, Matthies, Heiko via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > > > Hello, > > I'm looking for a way to integrate devices from partner companies into our > network. I planned to provide a extra VLAN at every site which allows > nothing but basic internet access without a captive portal. > They normally use certificate based authentication via EAP-TLS which leads > me to my problem: > - By default, Windows is configured to ignore certificate handshakes with > RADIUS servers it does not trust. As the devices were provisioned by third > party companies there is no way that their configiuration would trust my > self signed RADIUS certificates > - I tried working around this issue by providing MAB authentication but > the devices seem to notice that their preferred authentication method > (dot1x) fails and just try it again after some cooldown time -> this > behavior leads to reoccuring disconnects from the network (I've already set > the reauthenticate timer to 23 hours so the reauthentication would not > accur during business times) > > What is the best way to handle this kind of device? The notebooks sadly > don't support captive portal (because they require a VPN tunnel before any > kind of web traffic is allowed) which is why they can't use our Guest-Wifi. > > If you need any more information, feel free to ask. > Thank you! > > Greetings > > Heiko > > > ASAP Engineering GmbH?Sachsstra?e?1A?|?85080?Gaimersheim > Tel. +49 (8458) 3389 0?|?Fax. +49 (8458) 3389 399 > heiko.matth...@asap.de?|? > https://urldefense.com/v3/__http://www.asap.de__;!!GjvTz_vk!BInHwjOp8FNh_IY9rHWQT33HfPG3j0iqBkKU_tIgjvK4t78nppH1UQvBvcOXsDsz$ > <https://urldefense.com/v3/__http:/www.asap.de__;!!GjvTz_vk!BInHwjOp8FNh_IY9rHWQT33HfPG3j0iqBkKU_tIgjvK4t78nppH1UQvBvcOXsDsz$> > > Gesch?ftsf?hrer: Michael Neisen,?Robert Werner,?Christian Schweiger?| Sitz > der Gesellschaft:?Gaimersheim | Amtsgericht:?Ingolstadt HRB 5408 > > Datenschutz: Ausf?hrliche Informationen zum Umgang mit Ihren > personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter > www.asap.de\datenschutz. > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!BInHwjOp8FNh_IY9rHWQT33HfPG3j0iqBkKU_tIgjvK4t78nppH1UQvBvWhhGwRR$ > <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!BInHwjOp8FNh_IY9rHWQT33HfPG3j0iqBkKU_tIgjvK4t78nppH1UQvBvWhhGwRR$> > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
