[prev in list] [next in list] [prev in thread] [next in thread]
List: packetfence-users
Subject: Re: [PacketFence-users] Computer LDAP Authentication Source Question
From: Durand fabrice via PacketFence-users <packetfence-users () lists ! sourceforge ! net>
Date: 2019-11-22 3:33:20
Message-ID: 942de03b-e638-115d-68e7-e496fddde22e () inverse ! ca
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello Christian,
what you can do is to follow that:
https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Installation_Guide.asciidoc#advanced-access-configuration
as you can see in the example you can make a difference between the
domain-joined device and the byod.
So the logic is the following:
create 2 authentication sources , one for TRUSTED and another one for
UNTRUSTED device and make the correct rules.
After that create 2 connection profiles, one for TRUSTED (Match a device
that did machine authentication in a previous connection and connect on
ssid Secure) and assign the TRUSTED source on it and another connection
profile for UNTRUSTED (Match a device that does user authentication and
never did machine authentication on a secure ssid) and assign the
UNTRUSTED authentication source in it.
Don't forget to enable autoregistration on both connection profiles.
You should be good with that.
Regards
Fabrice
Le 19-11-18 à 14 h 50, Christian McDonald via PacketFence-users a écrit :
> Greetings,
>
> I have a simple authentication source for domain-joined Windows
> machines that uses the servicePrincipalName. This works great. I know
> that I can do single sign on via GPO which will cause the machine to
> re-authenticate using the sAMAccountName after user logon...so, at the
> logon screen, the servicePrincipalName is used and once a user logins
> the sAMAccountName is used.
>
> However, I'd like to push users onto different VLANs based on whether
> they login via a domain-joined machine verses a BYOD machine (i.e.
> non-domain joined).
>
> So the operational logic would be:
>
> If machine is domain-joined and user is a memberOf yourFavoriteGroup
> then role TRUSTED
> If machine is *not *domain-joined and user is a memberOf
> yourFavoriteGroup then role UNTRUSTED.
>
> Any ideas?
>
> Best,
>
> Christian
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello Christian,</p>
<p>what you can do is to follow that:</p>
<p><a
href="https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Installat \
ion_Guide.asciidoc#advanced-access-configuration">https://github.com/inverse-inc/packe \
tfence/blob/devel/docs/PacketFence_Installation_Guide.asciidoc#advanced-access-configuration</a></p>
<p>as you can see in the example you can make a difference between
the domain-joined device and the byod.</p>
<p>So the logic is the following:</p>
<p>create 2 authentication sources , one for TRUSTED and another one
for UNTRUSTED device and make the correct rules.</p>
<p>After that create 2 connection profiles, one for TRUSTED (Match a
device that did machine authentication in a previous connection
and connect on ssid Secure) and assign the TRUSTED source on it
and another connection profile for UNTRUSTED (<span style="color:
rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont,
"Segoe UI", Helvetica, Arial, sans-serif, "Apple
Color Emoji", "Segoe UI Emoji"; font-size: 16px;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">Match a device that does user
authentication and never did machine authentication on a secure
ssid) and assign the UNTRUSTED authentication source in it.</span></p>
<p><span style="color: rgb(36, 41, 46); font-family: -apple-system,
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial,
sans-serif, "Apple Color Emoji", "Segoe UI
Emoji"; font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial; display: inline !important; float: none;">Don't forget
to enable autoregistration on both connection profiles.</span></p>
<p><span style="color: rgb(36, 41, 46); font-family: -apple-system,
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial,
sans-serif, "Apple Color Emoji", "Segoe UI
Emoji"; font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial; display: inline !important; float: none;">You should be
good with that.</span></p>
<p><span style="color: rgb(36, 41, 46); font-family: -apple-system,
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial,
sans-serif, "Apple Color Emoji", "Segoe UI
Emoji"; font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial; display: inline !important; float: none;">Regards</span></p>
<p><span style="color: rgb(36, 41, 46); font-family: -apple-system,
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial,
sans-serif, "Apple Color Emoji", "Segoe UI
Emoji"; font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial; display: inline !important; float: none;">Fabrice</span></p>
<p><span style="color: rgb(36, 41, 46); font-family: -apple-system,
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial,
sans-serif, "Apple Color Emoji", "Segoe UI
Emoji"; font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial; display: inline !important; float: none;"><br>
</span></p>
<div class="moz-cite-prefix">Le 19-11-18 à 14 h 50, Christian
McDonald via PacketFence-users a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:CADTMz0+XCD52ch0JBdMv8hBSq6Y2LjdHQYBi6n3MMdS9BXk-gA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Greetings,
<div><br>
</div>
<div>I have a simple authentication source for domain-joined
Windows machines that uses the servicePrincipalName. This
works great. I know that I can do single sign on via GPO which
will cause the machine to re-authenticate using
the sAMAccountName after user logon...so, at the logon screen,
the servicePrincipalName is used and once a user logins the
sAMAccountName is used. <br>
</div>
<div><br>
</div>
<div>However, I'd like to push users onto different VLANs based
on whether they login via a domain-joined machine verses a
BYOD machine (i.e. non-domain joined). </div>
<div><br>
</div>
<div>So the operational logic would be:</div>
<div><br>
</div>
<div>If machine is domain-joined and user is a memberOf
yourFavoriteGroup then role TRUSTED</div>
<div>If machine is <b>not </b>domain-joined and user is a
memberOf yourFavoriteGroup then role UNTRUSTED.</div>
<div><br>
</div>
<div>Any ideas?</div>
<div><br>
</div>
<div>Best,</div>
<div><br>
</div>
<div>Christian</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" \
wrap="">_______________________________________________ PacketFence-users mailing \
list <a class="moz-txt-link-abbreviated" \
href="mailto:PacketFence-users@lists.sourceforge.net">PacketFence-users@lists.sourceforge.net</a>
<a class="moz-txt-link-freetext" \
href="https://lists.sourceforge.net/lists/listinfo/packetfence-users">https://lists.sourceforge.net/lists/listinfo/packetfence-users</a>
</pre>
</blockquote>
</body>
</html>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic