Hello Joe, Yes, PacketFence does exactly what you want it to do.
The only thing is that you need to put a LDAP source on a connection profile that catches the EAP TLS authentication. The thing for PF to use the username given from the cert, by default, it would try to match the username as a sAMAccountName. Make sure it matches and it would work. You could also do another check, you could create a radius filter / VLAN filter that check the MAC OUI of the device and allow only yours, maybe it would be less work than creating 800+ AD account. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Jul 2, 2022, at 2:07 PM, Joe Clempka via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hey All, > > Is it possible when using EAP-TLS to restrict based on stripped username? > > The VoIP phones I am using send the last few characters of their MAC > address for username and that is being used as the stripped name, and > thus forced into the NULL realm (doesn't seem like there is any way > around that). > > EAP-TLS works fine - phone powers on, sends its cert signed by the > phone vendor CA, and PacketFence trusts the CA for this EAP profile > and allows it. > > But the issue is the cert on the phones is generic provided by the > manufacturer. This means that ANY VoIP phone by this vendor could > come onto the network and start the EAP-TLS process, as it will > present to PacketFence a certificate signed by the CA that I told > PacketFence to use for EAP-TLS (defined under PKI SSL Certificates > --.> SSL Certificates --> Certificate Authority, I just paste in the > CAs I use then map that to TLS Profile and then EAP Profile and then > map that EAP Profile to the NULL realm). > > The vendor said they don't support PacketFence, and said to use > Microsoft's NPS server, as that can use EAP-TLS plus looking up > against AD for a username (that would be equal to the stripped MAC > address). So Microsoft's way would be EAP-TLS where the stripped > username must exist in AD plus have a cert issued by the phone vendor > (and thus only user objects we create in AD with specific stripped > names would be allowed). > > In AD, you would have a username with the last part of the MAC > address, and a cert assigned to that user in AD (extracted from the > phone). During EAP-TLS, it verifies the user object exists AND that > it has a cert issued by the trusted CA. Versus in PacketFence it just > cares that the client cert is issued by a trusted CA, and anyone with > a cert signed by that CA would be trusted (so any VoIP phone by that > vendor). > > Is that possible in PacketFence to lookup against AD and/or restrict > based on a list of stripped names (it would be 800+ phone MAC > names...). > > Thanks! > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QnpxOcMWOpXMkDB2PlGA4H-YEEZ8032DzfZ7BXr5cA1PzdwpZ_5xevwK8z2GeC0ullpj13chII-QkZ-ej4gA_fm0GrqO1QzDkQYokA$ >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
