Hey All, Is it possible when using EAP-TLS to restrict based on stripped username?
The VoIP phones I am using send the last few characters of their MAC address for username and that is being used as the stripped name, and thus forced into the NULL realm (doesn't seem like there is any way around that). EAP-TLS works fine - phone powers on, sends its cert signed by the phone vendor CA, and PacketFence trusts the CA for this EAP profile and allows it. But the issue is the cert on the phones is generic provided by the manufacturer. This means that ANY VoIP phone by this vendor could come onto the network and start the EAP-TLS process, as it will present to PacketFence a certificate signed by the CA that I told PacketFence to use for EAP-TLS (defined under PKI SSL Certificates --.> SSL Certificates --> Certificate Authority, I just paste in the CAs I use then map that to TLS Profile and then EAP Profile and then map that EAP Profile to the NULL realm). The vendor said they don't support PacketFence, and said to use Microsoft's NPS server, as that can use EAP-TLS plus looking up against AD for a username (that would be equal to the stripped MAC address). So Microsoft's way would be EAP-TLS where the stripped username must exist in AD plus have a cert issued by the phone vendor (and thus only user objects we create in AD with specific stripped names would be allowed). In AD, you would have a username with the last part of the MAC address, and a cert assigned to that user in AD (extracted from the phone). During EAP-TLS, it verifies the user object exists AND that it has a cert issued by the trusted CA. Versus in PacketFence it just cares that the client cert is issued by a trusted CA, and anyone with a cert signed by that CA would be trusted (so any VoIP phone by that vendor). Is that possible in PacketFence to lookup against AD and/or restrict based on a list of stripped names (it would be 800+ phone MAC names...). Thanks! _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
