Fabrice comment's:
Because for PacketFence a device is a mac address, not a ip.
If you hit the portal and if PacketFence is not able to a an IP to MAC then you
will have an error message on the portal.
Reply: I understand. Unfortuantely, we wish to manage users accesses to
internal resources, not really devices. I think there is a mismatch between our
needs and what Packetfence can provide.
Thank you, Benoît
Envoyé à partir d’Outlook<http://aka.ms/weboutlook>
________________________________
De : Fabrice Durand via PacketFence-users
<packetfence-users@lists.sourceforge.net>
Envoyé : 8 décembre 2017 10:09
À : packetfence-users@lists.sourceforge.net
Cc : Fabrice Durand
Objet : Re: [PacketFence-users] PoC: Social Login from Captive Portal and
Firewall (Checkpoint) Enforcement
Le 2017-12-08 à 09:45, Benoît Dubé via PacketFence-users a écrit :
Merci beaucoup Fabrice,
When external users are redirected to the PacketFence portal, IP packets
contain the user's IP. I can install the DHCP remote sensor on the server, but
question is why to do that if the IP info is already known by PacketFence?
Because for PacketFence a device is a mac address, not a ip.
If you hit the portal and if PacketFence is not able to a an IP to MAC then you
will have an error message on the portal.
Note: DNS, DHCP and AD will always be available to uregistred users with a
policy on Checkpoint.
About the switch module for the fw to parse the IP address. Since the original
session goes to the fw and the redirected one goes to the Packetfence both
containing the user's IP within the IP packet, isn't the PacketFence able to
grab the IP address directly from the session with the portal.
It's just because we need to be able to parse the url to fetch the ip
information, for some other vendor it can be ?DEVICEIP=1.2.3.4 , for checkpoint
it can be ?IPDEVICE=1.2.3.4
Also at the end of the registration the switch module need to know how to tell
the fw that the device is registered, and i think it can be with a Firewall SSO
request.
About Oauth, I understand that user must be able to access Oauth autorization
server, which is easily possible through Checkpoint. Hope that the access token
provided by auth provider to the client (PacketFence) be enough to authenticate
the user and process to the sponsorship and eventually to inform the FW to give
the rights to access internal resources.
Sponsor access without Oauth ?? I understand here that user can access with a
locally defined credential instead of social credential. Is it what you are
referring to?
I understand that the user can choose any login name/password during the
registration phase and be sponsored by an employee and if accesses permitted by
the sponsor, user will be granted access with the defined login/passwd. Right ?
Sponsor access is like that:
i am guest and connect to the open ssid, i hit the portal and PacketFence ask
me for my email address and an email address of an employee (who is allowed to
be a sponsor because he is a member of an AD group per example).
When i validate the form then the sponsor receive an email to ask him if we
want to allow me to access to the network, so he click on the link and hit a
page on the PacketFence server.
He put his AD credential and after that my device is allowed to reach internet.
So no need to have username and password, just need to know a employee.
Regards
Fabrice
Envoyé à partir d’Outlook<http://aka.ms/weboutlook>
________________________________
De : Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net>
Envoyé : 7 décembre 2017 22:32
À :
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc : Durand fabrice
Objet : Re: [PacketFence-users] PoC: Social Login from Captive Portal and
Firewall (Checkpoint) Enforcement
Ok so you will need to send a copy of the dhcp traffic to the pf server, if you
can install the DHCP remote sensor on the dhcp server.
Next step will be to have a switch module for the Checkpoint firewall (not a
big deal) in order to parse the ip address in the url.
Also try first the sponsor access instead of Oauth (Oauth need internet access
for the device).
Regards
Fabrice
Le 2017-12-07 à 22:18, Benoît Dubé via PacketFence-users a écrit :
It's the Checkpoint who does the redirection for URL traffic. The firewall is
located at the entrance of the datacenter and every users located in different
sites in the province pass through it. Then, it's all layer 3 (IP). There is no
MAC address that Checkpoint nor Packetfence can be aware of. I don't know which
parameters are attached to the redirected URL, at least the original URL, since
I have to setup the PoC.
Unfortunately, I don't find any reference with the specific setup that we plan.
All information are based on traditional NAC setup, where a controler
dynamically modified VLAN configurations on edge switches. In our case, the
enforcement should be done at the IP layer and applied by the fw. Checkpoint
provide a captive portal but it isn't able to authenticate against external
sources (Google, Facebook, etc). My customer doesn't want to provide accounts
for the consultants or any other temporary personal on their own AD.
I have the same challenge with ClearPass that I must test.
Merci Fabrice
Benoît
________________________________
De : Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net>
Envoyé : 7 décembre 2017 21:09
À :
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc : Durand fabrice
Objet : Re: [PacketFence-users] PoC: Social Login from Captive Portal and
Firewall (Checkpoint) Enforcement
Does the redirection contain the mac address of the device, do you have an
example of the url with all the parameters ? (any documentation)
If there is no mac in the url then you will need to send a copy of the dhcp
traffic to PacketFence.
Also for social login you will need to allow the access to facebook/google/..
websites.
Le 2017-12-07 à 21:03, Benoît Dubé via PacketFence-users a écrit :
With Checkpoint's Identity Awareness, HTTP or HTTPS for unknown users (AD point
of view) are redirected to a captive portal URL.
Merci Fabrice
Envoyé à partir d’Outlook<http://aka.ms/weboutlook>
________________________________
De : Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net>
Envoyé : 7 décembre 2017 20:26
À :
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc : Durand fabrice
Objet : Re: [PacketFence-users] PoC: Social Login from Captive Portal and
Firewall (Checkpoint) Enforcement
Hello Benoît,
my question is how the Checkpoint firewall will redirect the external devices
on the captive portal ?
Regards
Fabrice
Le 2017-12-06 à 11:58, Benoît Dubé via PacketFence-users a écrit :
Hi everyone,
I need to do a proof of concept to authenticate external users, in a BYOD use
case, with their social login and/or their own entreprise accounts if they have
MS AD and make the enforcement with the Checkpoint Firewall. The most important
part is with social login.
Here is what I think of:
- Every user's traffic go to the inline firewall, mainly from a wired connection
- Internal users are identifier against their AD based on Checkpoint Identity
Awareness (AD Query)
- External users are redirected to a captive portal. This is where Packetfence
comes to play
- Externel users registered to Packetfence which authenticate them to social
login services
- If social authentication succeed, a sponsorship feature send a message to a
defined sponsor who accept or deny the user. The sponsor should be able to set
the role/group for each user.
- Packetfence should keep user information to manage future access.
- Later, when a registrered user is redirected to the Captive Portal
(PacketFence) for identification, Packetfence should authenticate against
social login service, and if succeed, sends Radius accounting data to the
Checkpoint to give him network access based on the policy defined in the
Checkpoint. Checkpoint R80 should also receive and parse the group information
from PacketFence within the Radius accounting. This group information is
related to the role/group defined by the sponsor when users register.
As you can see, there is no 802.1x involved, nor VLAN assignment/enforcement.
Enforcement is apply by the firewall.
Is it a possible use case for PacketFence ? If yes, what are the main steps to
configure this ?
Benoît
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca<mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
