Hello Jochen, This is how I would do it:
- Do EAP TLS computer authentication on the devices - Make sure to install the Root CA that signed the compter cert into PacketFence root CA authority under Config / SSL certificate / Root CA - Create a connection profile with a sub connection filter on TLS - On that source, put an AD source that is configured properly with: The search attributes on DNsHostName then having a rule that do a search on serviceprincipalName starts with host/ Thanks, Ludovic Zammit Product Support Engineer Principal Lead Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Mar 14, 2024, at 11:27 AM, Jochen Ackermann > <jochen.ackerm...@igd.fraunhofer.de> wrote: > > Am 13.03.2024 um 21:44 schrieb Zammit, Ludovic: >> Can you tell me one use case that you want to achieve with EAP TLS >> authentication ? > > Hello Ludovic, > > The use case (i.e. requirement) is to register/accept hosts based on their > account/group-membership in the AD irrespective of the current user. > > All our hosts are have machine certificates issued by our local CA tied to > their hostname which are to be used to authenticate/authorise the access to > the corresponding subnet. The subnet is derived from the AD group-membership > of the host, so the VLAN information (together with reauthentication > interval) is then sent to the switch in the radius reply. Wireless > connections should work in the same way, with additional CoA. Of course, if > the host is yet unknown to packetfence, as long as it has a valid AD account, > it should perform auto-registration. The whole process relies on the AD > account of the host and we would very much prefer, not to use the captive > portal. > > The subsequent user login is entirely handled by AD and not part of the Dot1X > authentication. The Exception beeing the use of VPN, where the user > authentication is done within packetfence, which works as expected (Group > membership is also checked for the authorization). > > > kind regards, > > Jochen
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
