With Checkpoint's Identity Awareness, HTTP or HTTPS for unknown users (AD point
of view) are redirected to a captive portal URL.
Merci Fabrice
Envoyé à partir d’Outlook<http://aka.ms/weboutlook>
________________________________
De : Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net>
Envoyé : 7 décembre 2017 20:26
À : packetfence-users@lists.sourceforge.net
Cc : Durand fabrice
Objet : Re: [PacketFence-users] PoC: Social Login from Captive Portal and
Firewall (Checkpoint) Enforcement
Hello Benoît,
my question is how the Checkpoint firewall will redirect the external devices
on the captive portal ?
Regards
Fabrice
Le 2017-12-06 à 11:58, Benoît Dubé via PacketFence-users a écrit :
Hi everyone,
I need to do a proof of concept to authenticate external users, in a BYOD use
case, with their social login and/or their own entreprise accounts if they have
MS AD and make the enforcement with the Checkpoint Firewall. The most important
part is with social login.
Here is what I think of:
- Every user's traffic go to the inline firewall, mainly from a wired connection
- Internal users are identifier against their AD based on Checkpoint Identity
Awareness (AD Query)
- External users are redirected to a captive portal. This is where Packetfence
comes to play
- Externel users registered to Packetfence which authenticate them to social
login services
- If social authentication succeed, a sponsorship feature send a message to a
defined sponsor who accept or deny the user. The sponsor should be able to set
the role/group for each user.
- Packetfence should keep user information to manage future access.
- Later, when a registrered user is redirected to the Captive Portal
(PacketFence) for identification, Packetfence should authenticate against
social login service, and if succeed, sends Radius accounting data to the
Checkpoint to give him network access based on the policy defined in the
Checkpoint. Checkpoint R80 should also receive and parse the group information
from PacketFence within the Radius accounting. This group information is
related to the role/group defined by the sponsor when users register.
As you can see, there is no 802.1x involved, nor VLAN assignment/enforcement.
Enforcement is apply by the firewall.
Is it a possible use case for PacketFence ? If yes, what are the main steps to
configure this ?
Benoît
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
