Ok so you will need to send a copy of the dhcp traffic to the pf server,
if you can install the DHCP remote sensor on the dhcp server.
Next step will be to have a switch module for the Checkpoint firewall
(not a big deal) in order to parse the ip address in the url.
Also try first the sponsor access instead of Oauth (Oauth need internet
access for the device).
Regards
Fabrice
Le 2017-12-07 à 22:18, Benoît Dubé via PacketFence-users a écrit :
It's the Checkpoint who does the redirection for URL traffic. The
firewall is located at the entrance of the datacenter and every users
located in different sites in the province pass through it. Then, it's
all layer 3 (IP). There is no MAC address that Checkpoint nor
Packetfence can be aware of. I don't know which parameters are
attached to the redirected URL, at least the original URL, since I
have to setup the PoC.
Unfortunately, I don't find any reference with the specific setup that
we plan. All information are based on traditional NAC setup, where a
controler dynamically modified VLAN configurations on edge switches.
In our case, the enforcement should be done at the IP layer and
applied by the fw. Checkpoint provide a captive portal but it isn't
able to authenticate against external sources (Google, Facebook, etc).
My customer doesn't want to provide accounts for the consultants or
any other temporary personal on their own AD.
I have the same challenge with ClearPass that I must test.
Merci Fabrice
Benoît
------------------------------------------------------------------------
*De :* Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net>
*Envoyé :* 7 décembre 2017 21:09
*À :* packetfence-users@lists.sourceforge.net
*Cc :* Durand fabrice
*Objet :* Re: [PacketFence-users] PoC: Social Login from Captive
Portal and Firewall (Checkpoint) Enforcement
Does the redirection contain the mac address of the device, do you
have an example of the url with all the parameters ? (any documentation)
If there is no mac in the url then you will need to send a copy of the
dhcp traffic to PacketFence.
Also for social login you will need to allow the access to
facebook/google/.. websites.
Le 2017-12-07 à 21:03, Benoît Dubé via PacketFence-users a écrit :
With Checkpoint's Identity Awareness, HTTP or HTTPS for unknown users
(AD point of view) are redirected to a captive portal URL.
Merci Fabrice
Envoyé à partir d’Outlook <http://aka.ms/weboutlook>
------------------------------------------------------------------------
*De :* Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net>
<mailto:packetfence-users@lists.sourceforge.net>
*Envoyé :* 7 décembre 2017 20:26
*À :* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc :* Durand fabrice
*Objet :* Re: [PacketFence-users] PoC: Social Login from Captive
Portal and Firewall (Checkpoint) Enforcement
Hello Benoît,
my question is how the Checkpoint firewall will redirect the external
devices on the captive portal ?
Regards
Fabrice
Le 2017-12-06 à 11:58, Benoît Dubé via PacketFence-users a écrit :
Hi everyone,
I need to do a proof of concept to authenticate external users, in a
BYOD use case, with their social login and/or their own entreprise
accounts if they have MS AD and make the enforcement with the
Checkpoint Firewall. The most important part is with social login.
Here is what I think of:
- Every user's traffic go to the inline firewall, mainly from a
wired connection
- Internal users are identifier against their AD based on Checkpoint
Identity Awareness (AD Query)
- External users are redirected to a captive portal. This is where
Packetfence comes to play
- Externel users registered to Packetfence which authenticate them
to social login services
- If social authentication succeed, a sponsorship feature send a
message to a defined sponsor who accept or deny the user. The
sponsor should be able to set the role/group for each user.
- Packetfence should keep user information to manage future access.
- Later, when a registrered user is redirected to the Captive Portal
(PacketFence) for identification, Packetfence should authenticate
against social login service, and if succeed, sends Radius
accounting data to the Checkpoint to give him network access based
on the policy defined in the Checkpoint. Checkpoint R80 should also
receive and parse the group information from PacketFence within the
Radius accounting. This group information is related to the
role/group defined by the sponsor when users register.
As you can see, there is no 802.1x involved, nor VLAN
assignment/enforcement. Enforcement is apply by the firewall.
Is it a possible use case for PacketFence ? If yes, what are the
main steps to configure this ?
Benoît
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users