Thanks Ludovic! I'll give this a try. I think my issue was trying to use the existing Active Directory internal source and not doing an LDAP one.
"The thing for PF to use the username given from the cert, by default, it would try to match the username as a sAMAccountName. Make sure it matches and it would work." - For this part, the phone's cert subject is the MAC address. Is there a way for PacketFence to use the stripped username instead of looking at the cert's subject? On Mon, Jul 4, 2022 at 12:02 PM Zammit, Ludovic <[email protected]> wrote: > Hello Joe, > > Yes, PacketFence does exactly what you want it to do. > > The only thing is that you need to put a LDAP source on a connection > profile that catches the EAP TLS authentication. > > The thing for PF to use the username given from the cert, by default, it > would try to match the username as a sAMAccountName. Make sure it matches > and it would work. > > You could also do another check, you could create a radius filter / VLAN > filter that check the MAC OUI of the device and allow only yours, maybe it > would be less work than creating 800+ AD account. > > Thanks, > > *Ludovic Zammit* > *Product Support Engineer Principal* > *Cell:* +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com> > <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> > <http://www.linkedin.com/company/akamai-technologies> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > > On Jul 2, 2022, at 2:07 PM, Joe Clempka via PacketFence-users < > [email protected]> wrote: > > Hey All, > > Is it possible when using EAP-TLS to restrict based on stripped username? > > The VoIP phones I am using send the last few characters of their MAC > address for username and that is being used as the stripped name, and > thus forced into the NULL realm (doesn't seem like there is any way > around that). > > EAP-TLS works fine - phone powers on, sends its cert signed by the > phone vendor CA, and PacketFence trusts the CA for this EAP profile > and allows it. > > But the issue is the cert on the phones is generic provided by the > manufacturer. This means that ANY VoIP phone by this vendor could > come onto the network and start the EAP-TLS process, as it will > present to PacketFence a certificate signed by the CA that I told > PacketFence to use for EAP-TLS (defined under PKI SSL Certificates > --.> SSL Certificates --> Certificate Authority, I just paste in the > CAs I use then map that to TLS Profile and then EAP Profile and then > map that EAP Profile to the NULL realm). > > The vendor said they don't support PacketFence, and said to use > Microsoft's NPS server, as that can use EAP-TLS plus looking up > against AD for a username (that would be equal to the stripped MAC > address). So Microsoft's way would be EAP-TLS where the stripped > username must exist in AD plus have a cert issued by the phone vendor > (and thus only user objects we create in AD with specific stripped > names would be allowed). > > In AD, you would have a username with the last part of the MAC > address, and a cert assigned to that user in AD (extracted from the > phone). During EAP-TLS, it verifies the user object exists AND that > it has a cert issued by the trusted CA. Versus in PacketFence it just > cares that the client cert is issued by a trusted CA, and anyone with > a cert signed by that CA would be trusted (so any VoIP phone by that > vendor). > > Is that possible in PacketFence to lookup against AD and/or restrict > based on a list of stripped names (it would be 800+ phone MAC > names...). > > Thanks! > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QnpxOcMWOpXMkDB2PlGA4H-YEEZ8032DzfZ7BXr5cA1PzdwpZ_5xevwK8z2GeC0ullpj13chII-QkZ-ej4gA_fm0GrqO1QzDkQYokA$ > > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
