Discussion:
[PacketFence-users] Windows Computer Certificates instead of hostnames
Antoine Amacher
2016-05-30 17:54:39 UTC
Permalink
Hello Holger,

1. You cannot do EAP-TLS + PEAP on a supplicant, it will be either one
or the other. The combination of certificate and user/pw is not possible
then.

That being said you can do an EAP-TLS Computer + User Auth, which would
first authenticate the computer with hostname and his matching computer
certificate and then authenticate the user with the user certificate as
soon as it login.

You will need to look into EAP-TLS configuration for the server also,
the main point being, your RADIUS and clients certificate needs to be
issued from the same CA. There is an example on how to configure EAP-TLS
with working certificate over here:
http://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html#_step_2_configuring_packetfence

This example is with MSPKI but can be apply to any PKI.

For the filter there is an example matching what I explain,
(ComputerAuth + UserAuth if ComputerAuth is valid) in the
vlan_filters.conf.example file under the folder /usr/local/pf/conf

2. The other option would be to do EAP-TLS as ComputerAuth only and use
the portal for a Username/PW authentication.

In this case you would not need to set any filter(via the filtering
engine), once your EAP-TLS has authenticated, you should be redirected
on the portal, since the EAP-TLS will only grant you access to be able
to talk with PacketFence, unless you have a rule that register device
which authenticate via EAP-TLS.
You could then create a portal profile using the filter connection-type
Ethernet-EAP and/or Wireless-802.11-EAP, and add here your required
source of authentication for the Username/PW.

This way you will have the combination wanted, the user will have to
enter his credentials after his computer was validated on the network
via a certificate.

Thank you
Hi folks,
I want to authenticate Clients with Windows Computer Certificates (not
“hostname”) and Username/pw.
-How do I configure the first ?
-And how do the filter have to look for combining it with the user auth?
Thanks,
Holger
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
***@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
H***@t-systems.com
2016-06-02 07:15:45 UTC
Permalink
Hallo Antoine,

thanks for your answer.
I think that shows enough to have work for a few days to try :)

Bye,
Holger


Von: Antoine Amacher [mailto:***@inverse.ca]
Gesendet: Montag, 30. Mai 2016 19:55
An: packetfence-***@lists.sourceforge.net
Betreff: Re: [PacketFence-users] Windows Computer Certificates instead of hostnames

Hello Holger,

1. You cannot do EAP-TLS + PEAP on a supplicant, it will be either one or the other. The combination of certificate and user/pw is not possible then.

That being said you can do an EAP-TLS Computer + User Auth, which would first authenticate the computer with hostname and his matching computer certificate and then authenticate the user with the user certificate as soon as it login.

You will need to look into EAP-TLS configuration for the server also, the main point being, your RADIUS and clients certificate needs to be issued from the same CA. There is an example on how to configure EAP-TLS with working certificate over here: http://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html#_step_2_configuring_packetfence
This example is with MSPKI but can be apply to any PKI.

For the filter there is an example matching what I explain, (ComputerAuth + UserAuth if ComputerAuth is valid) in the vlan_filters.conf.example file under the folder /usr/local/pf/conf

2. The other option would be to do EAP-TLS as ComputerAuth only and use the portal for a Username/PW authentication.

In this case you would not need to set any filter(via the filtering engine), once your EAP-TLS has authenticated, you should be redirected on the portal, since the EAP-TLS will only grant you access to be able to talk with PacketFence, unless you have a rule that register device which authenticate via EAP-TLS.
You could then create a portal profile using the filter connection-type Ethernet-EAP and/or Wireless-802.11-EAP, and add here your required source of authentication for the Username/PW.

This way you will have the combination wanted, the user will have to enter his credentials after his computer was validated on the network via a certificate.

Thank you
On 05/30/2016 11:22 AM, ***@t-systems.com<mailto:***@t-systems.com> wrote:
Hi folks,

anyone who can help me with the following task:
I want to authenticate Clients with Windows Computer Certificates (not "hostname") and Username/pw.

- How do I configure the first ?

- And how do the filter have to look for combining it with the user auth?

Thanks,
Holger




------------------------------------------------------------------------------

What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic

patterns at an interface-level. Reveals which users, apps, and protocols are

consuming the most bandwidth. Provides multi-vendor support for NetFlow,

J-Flow, sFlow and other flows. Make informed decisions using capacity

planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e




_______________________________________________

PacketFence-users mailing list

PacketFence-***@lists.sourceforge.net<mailto:PacketFence-***@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users



--

Antoine Amacher

***@inverse.ca<mailto:***@inverse.ca> :: +1.514.447.4918 *130 :: www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>)
Loading...