Hello Sofiane, You just described a full project with PacketFence. To be honest I highly doubt that you could achieve that with just the mailing help, I would suggest you to consult our support offers in order to speed up that process.
Let me try to answer your questions as best as possible. You can do 802.1x EAP TLS on a 802.1x WPA2 Enterprise SSID without issue, you can even do EAP PEAP on that same SSID. There is no fail safe feature on a 802.1x WPA Enterprise SSID. What you could implement is a hidden SSID with PSK that you push with GPO on Windows domain joined machines. When you implement 802.1x you don’t not need to touch anything from the production network, you re-use what’s there. You can use your ADCS (Windows PKI) and the PacketFence PKI at the same time. Use the Windows PKI for your domain join machine that can get a certificate (User + computer) and use PacketFence PKI to provide certificates to BYOD (Non-domain machines). We usually deploy a PacketFence cluster of 3 nodes where you can get some high availability spreader into 2 different hosts. If the servers became totally unresponsive, you can rely on switch/ wireless controller feature that can either try to contact another radius server or fail into an open state. Once a device establish an 802.1x connection no VLAN is assigned until the radius authentication is done, so you won’t be able to use your “trash” VLAN. No connection is made yet. For your remediation, it’s doable but you will need some criteria to isolate the device in order to be redirected into the isolation VLAN. As I said, the mailing list is there to answer few of your questions not for full project implementation, we do offer paid service to help you out to achieve what you want. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On May 9, 2022, at 3:46 PM, sofiane JALID via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > hello I have wifi controllers and cisco aironet 1852 compatible 802.1x my > idea is to have to imperatively control and authenticate by certificate the > wifi users who are in my domain and create a specific configuration for the > users who come with their own machine . my access controllers have several > ssids and for this proof of concept i have to connect two buildings with wifi > terminals and cisco asr 1000 switches. i would also like my packetfence > server to be able to do 802.1x on a specific vlan, on a Specific SSID. but > not touch the current configuration in production. what are the procedures > to achieve this, then I use my Active Directory as the company pki or then I > use the packetfence server as the CA root server. if ever the radius drops > or the packetfence drops down to fail-open features? or do I have to create > a second ray of server which will be in charge of communicating with my wifi > access controllers? I would like there to be a trash vlan at the connection > for the time of 802.1x validation, then if it's ok, the vlan should change. > does the wifi certificate process on a machine in my domain or outside my > domain require you to add a user account and password to retrieve the > certificate from my active directory for a machine in the domain? can I also > not allow machines that are not in my domain to discuss with my active > directory and create a remediation such as windows update, antivirus? and > that the packetfense can manage the machines out of the domain by implanting > them on a particular vlan which will not have access to certain networks. > how can i proceed? I need documentation and adapt a template for my aironet > wifi and my controllers. my active directory is connected to my server the > green light seems to tell me that the server is well connected, however I > want to be sure that everything is ok on this point of view. thank you for > your explanations > > Best regards > > Sofiane > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!Q2aFTWE8uhXD4szHFKBlsIIVQCJWB2y0HvvjfMYVTFWxtySzjNZjU3gfKQnFabAM_SeYuGzMS-S-2lUOPRRglnIKGf3t4q7O3muwEQ$ >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
