Not to hijack this thread, but this is something we are looking into as well (since we have been successful in setting up EAPTLS) Is there any documentation as to how we could set up both AD machine object and JAMF Computers/Mobile objects to autoregister when connected with their machine certificate. The furthest I have gotten on my own is finding that we will most likely need to use the JAMF API as an HTTP source in PF, but I am not sure where to go from there.
Thanks, Reese Herber Systems Integration Analyst Technical Services Department Phone: 253-530-3715 "The fusion of technology and education is the canvas on which we paint the masterpiece of our collective future, one pixel at a time." On Thu, Mar 14, 2024 at 8:16 PM Zammit, Ludovic via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hello Jochen, > > This is how I would do it: > > - Do EAP TLS computer authentication on the devices > - Make sure to install the Root CA that signed the compter cert into > PacketFence root CA authority under Config / SSL certificate / Root CA > - Create a connection profile with a sub connection filter on TLS > - On that source, put an AD source that is configured properly with: > > The search attributes on DNsHostName then having a rule that do a search > on serviceprincipalName starts with host/ > > Thanks, > > > *Ludovic Zammit* > *Product Support Engineer Principal Lead* > *Cell:* +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com> > <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> > <http://www.linkedin.com/company/akamai-technologies> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > > On Mar 14, 2024, at 11:27 AM, Jochen Ackermann < > jochen.ackerm...@igd.fraunhofer.de> wrote: > > Am 13.03.2024 um 21:44 schrieb Zammit, Ludovic: > > Can you tell me one use case that you want to achieve with EAP TLS > authentication ? > > > Hello Ludovic, > > The use case (i.e. requirement) is to register/accept hosts based on their > account/group-membership in the AD irrespective of the current user. > > All our hosts are have machine certificates issued by our local CA tied to > their hostname which are to be used to authenticate/authorise the access to > the corresponding subnet. The subnet is derived from the AD > group-membership of the host, so the VLAN information (together with > reauthentication interval) is then sent to the switch in the radius reply. > Wireless connections should work in the same way, with additional CoA. Of > course, if the host is yet unknown to packetfence, as long as it has a > valid AD account, it should perform auto-registration. The whole process > relies on the AD account of the host and we would very much prefer, not to > use the captive portal. > > The subsequent user login is entirely handled by AD and not part of the > Dot1X authentication. The Exception beeing the use of VPN, where the user > authentication is done within packetfence, which works as expected (Group > membership is also checked for the authorization). > > > kind regards, > > Jochen > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
