Antoine Amacher
2016-05-30 17:54:39 UTC
Hello Holger,
1. You cannot do EAP-TLS + PEAP on a supplicant, it will be either one
or the other. The combination of certificate and user/pw is not possible
then.
That being said you can do an EAP-TLS Computer + User Auth, which would
first authenticate the computer with hostname and his matching computer
certificate and then authenticate the user with the user certificate as
soon as it login.
You will need to look into EAP-TLS configuration for the server also,
the main point being, your RADIUS and clients certificate needs to be
issued from the same CA. There is an example on how to configure EAP-TLS
with working certificate over here:
http://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html#_step_2_configuring_packetfence
This example is with MSPKI but can be apply to any PKI.
For the filter there is an example matching what I explain,
(ComputerAuth + UserAuth if ComputerAuth is valid) in the
vlan_filters.conf.example file under the folder /usr/local/pf/conf
2. The other option would be to do EAP-TLS as ComputerAuth only and use
the portal for a Username/PW authentication.
In this case you would not need to set any filter(via the filtering
engine), once your EAP-TLS has authenticated, you should be redirected
on the portal, since the EAP-TLS will only grant you access to be able
to talk with PacketFence, unless you have a rule that register device
which authenticate via EAP-TLS.
You could then create a portal profile using the filter connection-type
Ethernet-EAP and/or Wireless-802.11-EAP, and add here your required
source of authentication for the Username/PW.
This way you will have the combination wanted, the user will have to
enter his credentials after his computer was validated on the network
via a certificate.
Thank you
1. You cannot do EAP-TLS + PEAP on a supplicant, it will be either one
or the other. The combination of certificate and user/pw is not possible
then.
That being said you can do an EAP-TLS Computer + User Auth, which would
first authenticate the computer with hostname and his matching computer
certificate and then authenticate the user with the user certificate as
soon as it login.
You will need to look into EAP-TLS configuration for the server also,
the main point being, your RADIUS and clients certificate needs to be
issued from the same CA. There is an example on how to configure EAP-TLS
with working certificate over here:
http://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html#_step_2_configuring_packetfence
This example is with MSPKI but can be apply to any PKI.
For the filter there is an example matching what I explain,
(ComputerAuth + UserAuth if ComputerAuth is valid) in the
vlan_filters.conf.example file under the folder /usr/local/pf/conf
2. The other option would be to do EAP-TLS as ComputerAuth only and use
the portal for a Username/PW authentication.
In this case you would not need to set any filter(via the filtering
engine), once your EAP-TLS has authenticated, you should be redirected
on the portal, since the EAP-TLS will only grant you access to be able
to talk with PacketFence, unless you have a rule that register device
which authenticate via EAP-TLS.
You could then create a portal profile using the filter connection-type
Ethernet-EAP and/or Wireless-802.11-EAP, and add here your required
source of authentication for the Username/PW.
This way you will have the combination wanted, the user will have to
enter his credentials after his computer was validated on the network
via a certificate.
Thank you
Hi folks,
I want to authenticate Clients with Windows Computer Certificates (not
hostname) and Username/pw.
-How do I configure the first ?
-And how do the filter have to look for combining it with the user auth?
Thanks,
Holger
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
I want to authenticate Clients with Windows Computer Certificates (not
hostname) and Username/pw.
-How do I configure the first ?
-And how do the filter have to look for combining it with the user auth?
Thanks,
Holger
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
PacketFence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
***@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Antoine Amacher
***@inverse.ca :: +1.514.447.4918 *130 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)