Am 14.03.2024 um 19:38 schrieb Zammit, Ludovic:
This is how I would do it:
- Do EAP TLS computer authentication on the devices
- Make sure to install the Root CA that signed the compter cert into
PacketFence root CA authority under Config / SSL certificate / Root CA
- Create a connection profile with a sub connection filter on TLS
- On that source, put an AD source that is configured properly with:
The search attributes on DNsHostName then having a rule that do a search
on serviceprincipalName starts with host/
Hello Ludovic,
as far as I can see our config (now) looks exactly like you suggested,
but the pc ist still shown with owner host/myhost.my.domain and
host/myhost.my.domain is listed under Users.
But why is packetfence looking for a User in the first place? Shouldn't
it be clear from the serviceprincipalName and DNsHostName (along with
the authentication mode setting on the windows supplicant) that only
machine Authentification is requested. Is this hardwired into
packetfence? Besides, wouldn't the form host/ (or host$ for that matter)
imply at least that this is not a User?
MAB authentication for example displays "default" as owner. It would be
perfect, if the EAP-TLS Auth could do the same, or at least set any
fixed name, so that the Users Tab is kept clear from all the hostnames.
If no other means exist, would it be possible to use e.g. a radius
filter to set the associated usernmae to someting like 'default' or
'machine', filtering on maybe EAP-TLS, authenticator switch or a
TLS-Client-Cert-Common-Name starting with host/? What would such a
filter look like?
Kind regards,
Jochen
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
