🔐 Attribution des VLAN de manière dynamique avec le #NAC open source #PacketFence et un backend d'authentification MS AD.

https://doc.quercylibre.fr/Securit%C3%A9/PacketFence/05-packetfence/

Ou comment respecter la segmentation réseau filaire/Wifi et en finir avec le casse-tête du brassage quand il y a des mouvements du personnel 🤯

Bonne lecture et bonne expérimentation 🙂

Mise en place du logiciel libre #PacketFence pour renforcer la sécurité d'accès au réseau 🛡️

https://doc.quercylibre.fr/Securit%C3%A9/PacketFence/01-packetfence/

Having a history with #packetfence as our radius server and am currently doing a #proofofconcept with the help of of #aruba with their #clearpass product, just quietly from my initial impressions... packetfence seems easier to configure and use

#sysadmin #networking #nac #radius #authentication #opensource

Yes!

#OpenWRT + #Packetfence:

On an unencrypted registration SSID authorized a client through a portal page.

Then showed the client via dpsk (dynamic pre-shared key) provisioner login data for the encrypted SSID to connect to a network with internet access.

When the client connects to the unencrypted SSID it gets redirected to a portal to enter an email address (and possibly other data). Packetfence sends an email to a pre-configured address (owned by the sponsor) containing a link to approve the request for access.

The client waits on a portal html page for the sponsor to click the link. After the sponsor clicks the link to approve the request the clients web page reloads and shows the name of the encrypted SSID to connect to and a password for the connection.

Next step to accomplish: configure OpenWRT (hostapd) and Packetfence to allow the usage of the PSK to connect to the encrypted SSID.

BTW: Testing this I'm using #deskhop to switch seamlessly between my notebook and my #Librem5 which I use as a test client for the wifi connection to the OpenWRT access point.

Setting up a new #packetfence I tried to setup a portal for a registration vlan and failed miserably. The portal didn't show.

The solution turned out to be quiet simple: a dns misconfiguration that seems to be part of the default configuration when installing packetfence in Debian.

To learn more about #wifi and #wlan integration into #packetfence I set up a packetfence server on an #odroid H3.

I'll try to integrate a TP Link RE500 running #OpenWRT. While reading into wifi related stuff I found the README which turned out to be a perfect introduction to the topic.

It didn't deliver on my expectation for documentation about the file hostapd.vlan in OpenWRT, but that might be an include as well. Otherwise its content has been a nice surprise!

Note to myself: to regenerate a config file in #packetfence use

pfcmd service <service> generateconfig

afterwards it could be restarted by

pfcmd service <service> restarting

Restarting a service using pfcmd service always recreates the configuration from the templates.

Just registered an un-official #matrix room for #packetfence.

https://matrix.to/#/!lZIzquHjbvBkogyIhq:matrix.org?via=librem.one&via=matrix.org

Note to myself to remember:

If I delete/change/add Active Directory Domains in #packetfence I need to make sure that in REALMS the changes are reflected.

Otherwise an #802dotX authentication attempt using wpa_supplicant -c /etc/wpa_supplicant/packetfence-demo.conf -D wired -i ens192 might end with EAP-TLV: TLV Result - Failure.