Hallo Antoine,
thanks for your answer.
I think that shows enough to have work for a few days to try :)
Bye,
Holger
Von: Antoine Amacher [mailto:aamac...@inverse.ca]
Gesendet: Montag, 30. Mai 2016 19:55
An: packetfence-users@lists.sourceforge.net
Betreff: Re: [PacketFence-users] Windows Computer Certificates instead of
hostnames
Hello Holger,
1. You cannot do EAP-TLS + PEAP on a supplicant, it will be either one or the
other. The combination of certificate and user/pw is not possible then.
That being said you can do an EAP-TLS Computer + User Auth, which would first
authenticate the computer with hostname and his matching computer certificate
and then authenticate the user with the user certificate as soon as it login.
You will need to look into EAP-TLS configuration for the server also, the main
point being, your RADIUS and clients certificate needs to be issued from the
same CA. There is an example on how to configure EAP-TLS with working
certificate over here:
http://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html#_step_2_configuring_packetfence
This example is with MSPKI but can be apply to any PKI.
For the filter there is an example matching what I explain, (ComputerAuth +
UserAuth if ComputerAuth is valid) in the vlan_filters.conf.example file under
the folder /usr/local/pf/conf
2. The other option would be to do EAP-TLS as ComputerAuth only and use the
portal for a Username/PW authentication.
In this case you would not need to set any filter(via the filtering engine),
once your EAP-TLS has authenticated, you should be redirected on the portal,
since the EAP-TLS will only grant you access to be able to talk with
PacketFence, unless you have a rule that register device which authenticate via
EAP-TLS.
You could then create a portal profile using the filter connection-type
Ethernet-EAP and/or Wireless-802.11-EAP, and add here your required source of
authentication for the Username/PW.
This way you will have the combination wanted, the user will have to enter his
credentials after his computer was validated on the network via a certificate.
Thank you
On 05/30/2016 11:22 AM,
holger.patz...@t-systems.com<mailto:holger.patz...@t-systems.com> wrote:
Hi folks,
anyone who can help me with the following task:
I want to authenticate Clients with Windows Computer Certificates (not
"hostname") and Username/pw.
- How do I configure the first ?
- And how do the filter have to look for combining it with the user
auth?
Thanks,
Holger
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
aamac...@inverse.ca<mailto:aamac...@inverse.ca> :: +1.514.447.4918 *130 ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
