Hello Rob, Only 802.1x EAP PEAP requires the PF servers to be joined to the domain.
With EAP PEAP PacketFence has two interactions with an AD, NTLM authentication that requires the server to be joined with a admin account where we do not store the logins and it’s a one time join then the LDAP look up after the authentication to check the group membership for example. The LDAP one requires a dedicated basic service account for the LDAP bind. With EAP TLS you are not required to join the PF servers since during the authentication process, PF checks the certificate issuer identity against his authorized Root CA list. For the Authorization part you could use the EAP TLS source and create your own rules. To be more flexible you could use an LDAP if the username inside the certificate looks like an LDAP attribute that PF can use to do searches against an Active Directory. Hopes it clarify it a bit. Thanks, Ludovic Zammit Product Support Engineer Principal Lead Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Mar 2, 2023, at 12:14 PM, Rob Game via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hi all, > > I am interested in using PacketFence to do 802.1x with EAP-TLS in our small > environment. We are a highly security-conscious team and would like to know > how PacketFence handles Domain Joins and the associated domain admin > credentials. > > I understand the system needs to be domain joined to create an account to > validate Computer AD groups and such. On other products I have seen this is > only required once, and the domain admin credentials are not stored. Is this > the case for PacketFence? > > If they are stored, would creating a temporary DA account for the join, then > disabling/deleting the account work as an alternative approach? > > Thanks in advance for your help! > > Rob > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!UjBJGj3WkFcVGL3K_7-3MQb1TK5JeabaxUK3c0xsvutS3N8K1NKISvat3TjbGqiNmM2Cr3E-YuHV9PtitCi8OTCvNDjrqmZV9Wh-NA$ >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
