Le 2017-12-08 à 09:45, Benoît Dubé via PacketFence-users a écrit :
>
> Merci beaucoup Fabrice,
>
>
> When external users are redirected to the PacketFence portal, IP
> packets contain the user's IP. I can install the DHCP remote sensor
> on the server, but question is why to do that if the IP info is
> already known by PacketFence?
>
>
Because for PacketFence a device is a mac address, not a ip.
If you hit the portal and if PacketFence is not able to a an IP to MAC
then you will have an error message on the portal.
> Note: DNS, DHCP and AD will always be available to uregistred users
> with a policy on Checkpoint.
>
>
> About the switch module for the fw to parse the IP address. Since the
> original session goes to the fw and the redirected one goes to the
> Packetfence both containing the user's IP within the IP packet, isn't
> the PacketFence able to grab the IP address directly from the session
> with the portal.
>
It's just because we need to be able to parse the url to fetch the ip
information, for some other vendor it can be ?DEVICEIP=1.2.3.4 , for
checkpoint it can be ?IPDEVICE=1.2.3.4
Also at the end of the registration the switch module need to know how
to tell the fw that the device is registered, and i think it can be with
a Firewall SSO request.
>
>
> About Oauth, I understand that user must be able to access Oauth
> autorization server, which is easily possible through Checkpoint. Hope
> that the access token provided by auth provider to the client
> (PacketFence) be enough to authenticate the user and process to the
> sponsorship and eventually to inform the FW to give the rights to
> access internal resources.
>
>
> Sponsor access without Oauth ?? I understand here that user can
> access with a locally defined credential instead of social credential.
> Is it what you are referring to?
>
> I understand that the user can choose any login name/password during
> the registration phase and be sponsored by an employee and if accesses
> permitted by the sponsor, user will be granted access with the defined
> login/passwd. Right ?
>
Sponsor access is like that:
i am guest and connect to the open ssid, i hit the portal and
PacketFence ask me for my email address and an email address of an
employee (who is allowed to be a sponsor because he is a member of an AD
group per example).
When i validate the form then the sponsor receive an email to ask him if
we want to allow me to access to the network, so he click on the link
and hit a page on the PacketFence server.
He put his AD credential and after that my device is allowed to reach
internet.
So no need to have username and password, just need to know a employee.
Regards
Fabrice
>
>
>
> Envoyé à partir d’Outlook <http://aka.ms/weboutlook>
>
>
>
> ------------------------------------------------------------------------
> *De :* Durand fabrice via PacketFence-users
> <packetfence-users@lists.sourceforge.net>
> *Envoyé :* 7 décembre 2017 22:32
> *À :* packetfence-users@lists.sourceforge.net
> *Cc :* Durand fabrice
> *Objet :* Re: [PacketFence-users] PoC: Social Login from Captive
> Portal and Firewall (Checkpoint) Enforcement
>
>
> Ok so you will need to send a copy of the dhcp traffic to the pf
> server, if you can install the DHCP remote sensor on the dhcp server.
>
> Next step will be to have a switch module for the Checkpoint firewall
> (not a big deal) in order to parse the ip address in the url.
>
> Also try first the sponsor access instead of Oauth (Oauth need
> internet access for the device).
>
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-12-07 à 22:18, Benoît Dubé via PacketFence-users a écrit :
>>
>> It's the Checkpoint who does the redirection for URL traffic. The
>> firewall is located at the entrance of the datacenter and every users
>> located in different sites in the province pass through it. Then,
>> it's all layer 3 (IP). There is no MAC address that Checkpoint nor
>> Packetfence can be aware of. I don't know which parameters are
>> attached to the redirected URL, at least the original URL, since I
>> have to setup the PoC.
>>
>>
>> Unfortunately, I don't find any reference with the specific setup
>> that we plan. All information are based on traditional NAC setup,
>> where a controler dynamically modified VLAN configurations on edge
>> switches. In our case, the enforcement should be done at the IP layer
>> and applied by the fw. Checkpoint provide a captive portal but it
>> isn't able to authenticate against external sources (Google,
>> Facebook, etc). My customer doesn't want to provide accounts for the
>> consultants or any other temporary personal on their own AD.
>>
>>
>> I have the same challenge with ClearPass that I must test.
>>
>>
>> Merci Fabrice
>>
>>
>> Benoît
>>
>>
>>
>> ------------------------------------------------------------------------
>> *De :* Durand fabrice via PacketFence-users
>> <packetfence-users@lists.sourceforge.net>
>> <mailto:packetfence-users@lists.sourceforge.net>
>> *Envoyé :* 7 décembre 2017 21:09
>> *À :* packetfence-users@lists.sourceforge.net
>> <mailto:packetfence-users@lists.sourceforge.net>
>> *Cc :* Durand fabrice
>> *Objet :* Re: [PacketFence-users] PoC: Social Login from Captive
>> Portal and Firewall (Checkpoint) Enforcement
>>
>>
>> Does the redirection contain the mac address of the device, do you
>> have an example of the url with all the parameters ? (any documentation)
>>
>> If there is no mac in the url then you will need to send a copy of
>> the dhcp traffic to PacketFence.
>>
>>
>> Also for social login you will need to allow the access to
>> facebook/google/.. websites.
>>
>>
>>
>> Le 2017-12-07 à 21:03, Benoît Dubé via PacketFence-users a écrit :
>>>
>>> With Checkpoint's Identity Awareness, HTTP or HTTPS for unknown
>>> users (AD point of view) are redirected to a captive portal URL.
>>>
>>>
>>> Merci Fabrice
>>>
>>>
>>> Envoyé à partir d’Outlook <http://aka.ms/weboutlook>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *De :* Durand fabrice via PacketFence-users
>>> <packetfence-users@lists.sourceforge.net>
>>> <mailto:packetfence-users@lists.sourceforge.net>
>>> *Envoyé :* 7 décembre 2017 20:26
>>> *À :* packetfence-users@lists.sourceforge.net
>>> <mailto:packetfence-users@lists.sourceforge.net>
>>> *Cc :* Durand fabrice
>>> *Objet :* Re: [PacketFence-users] PoC: Social Login from Captive
>>> Portal and Firewall (Checkpoint) Enforcement
>>>
>>>
>>> Hello Benoît,
>>>
>>>
>>> my question is how the Checkpoint firewall will redirect the
>>> external devices on the captive portal ?
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>>
>>>
>>> Le 2017-12-06 à 11:58, Benoît Dubé via PacketFence-users a écrit :
>>>>
>>>> Hi everyone,
>>>>
>>>>
>>>> I need to do a proof of concept to authenticate external users, in
>>>> a BYOD use case, with their social login and/or their own
>>>> entreprise accounts if they have MS AD and make the enforcement
>>>> with the Checkpoint Firewall. The most important part is with
>>>> social login.
>>>>
>>>>
>>>> Here is what I think of:
>>>>
>>>> - Every user's traffic go to the inline firewall, mainly from a
>>>> wired connection
>>>>
>>>> - Internal users are identifier against their AD based on
>>>> Checkpoint Identity Awareness (AD Query)
>>>>
>>>> - External users are redirected to a captive portal. This is where
>>>> Packetfence comes to play
>>>>
>>>> - Externel users registered to Packetfence which authenticate them
>>>> to social login services
>>>>
>>>> - If social authentication succeed, a sponsorship feature send a
>>>> message to a defined sponsor who accept or deny the user. The
>>>> sponsor should be able to set the role/group for each user.
>>>>
>>>> - Packetfence should keep user information to manage future access.
>>>>
>>>> - Later, when a registrered user is redirected to the Captive
>>>> Portal (PacketFence) for identification, Packetfence should
>>>> authenticate against social login service, and if succeed, sends
>>>> Radius accounting data to the Checkpoint to give him network
>>>> access based on the policy defined in the Checkpoint. Checkpoint
>>>> R80 should also receive and parse the group information from
>>>> PacketFence within the Radius accounting. This group information is
>>>> related to the role/group defined by the sponsor when users register.
>>>>
>>>>
>>>> As you can see, there is no 802.1x involved, nor VLAN
>>>> assignment/enforcement. Enforcement is apply by the firewall.
>>>>
>>>>
>>>> Is it a possible use case for PacketFence ? If yes, what are the
>>>> main steps to configure this ?
>>>>
>>>>
>>>> Benoît
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.sourceforge.net
>>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
