Am 13.03.2024 um 21:44 schrieb Zammit, Ludovic:
Can you tell me one use case that you want to achieve with EAP TLS
authentication ?
Hello Ludovic,
The use case (i.e. requirement) is to register/accept hosts based on
their account/group-membership in the AD irrespective of the current user.
All our hosts are have machine certificates issued by our local CA tied
to their hostname which are to be used to authenticate/authorise the
access to the corresponding subnet. The subnet is derived from the AD
group-membership of the host, so the VLAN information (together with
reauthentication interval) is then sent to the switch in the radius
reply. Wireless connections should work in the same way, with additional
CoA. Of course, if the host is yet unknown to packetfence, as long as it
has a valid AD account, it should perform auto-registration. The whole
process relies on the AD account of the host and we would very much
prefer, not to use the captive portal.
The subsequent user login is entirely handled by AD and not part of the
Dot1X authentication. The Exception beeing the use of VPN, where the
user authentication is done within packetfence, which works as expected
(Group membership is also checked for the authorization).
kind regards,
Jochen
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users