Re: [PacketFence-users] Query AzureAD Device Groups

[Corey Keeling (Shared Services - Staff) via PacketFence-users]

That does sound good and maybe later a more advanced option where we can do 
custom queries against users and devices.


Corey Keeling | Senior IT Technician



All support requests to

Parkside: itserviced...@parksidecc.org.uk

Coleridge: itserviced...@coleridgecc.org.uk

Trumpington: itserviced...@trumpingtoncc.org.uk

CAST: itserviced...@cambridgeast.org.uk

Galfrid: itserviced...@thegalfridschool.org.uk

Shared Services: sharedserv...@coleridgecc.org.uk


[Image]






________________________________
From: Fabrice Durand <oeufd...@gmail.com>
Sent: Tuesday, October 31, 2023 6:25:24 PM
To: Corey Keeling (Shared Services - Staff) <corey.keel...@parksidecc.org.uk>
Cc: packetfence-users@lists.sourceforge.net 
<packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Query AzureAD Device Groups

You don't often get email from oeufd...@gmail.com. Learn why this is 
important<https://aka.ms/LearnAboutSenderIdentification>
Caution: This is an external email and may be malicious. Please take care when 
clicking links or opening attachments.


it could be something simple like allowing the graph api url change in the 
admin gui.
Then you will choose between device check and user check.



Le mar. 31 oct. 2023 à 14:17, Corey Keeling (Shared Services - Staff) 
<corey.keel...@parksidecc.org.uk<mailto:corey.keel...@parksidecc.org.uk>> a 
écrit :
>From looking at that file you linked me to the %username in my case is the 
>AzureAD deviceID of the machine as that’s what I have set the certificate 
>subject too. CN={{DeviceID}}.

That graph search is looking under users, so it won’t return any groups for my 
device. It would just error out.

I imagine I could change that graph query in that file to one that searches 
groups instead but would need to test.

Is there any planned support for device lookup?


Corey Keeling | Senior IT Technician



All support requests to

Parkside: 
itserviced...@parksidecc.org.uk<mailto:itserviced...@parksidecc.org.uk>

Coleridge: 
itserviced...@coleridgecc.org.uk<mailto:itserviced...@coleridgecc.org.uk>

Trumpington: 
itserviced...@trumpingtoncc.org.uk<mailto:itserviced...@trumpingtoncc.org.uk>

CAST: 
itserviced...@cambridgeast.org.uk<mailto:itserviced...@cambridgeast.org.uk>

Galfrid: 
itserviced...@thegalfridschool.org.uk<mailto:itserviced...@thegalfridschool.org.uk>

Shared Services: 
sharedserv...@coleridgecc.org.uk<mailto:sharedserv...@coleridgecc.org.uk>


[Image]






________________________________
From: Fabrice Durand <oeufd...@gmail.com<mailto:oeufd...@gmail.com>>
Sent: Tuesday, October 31, 2023 6:06:11 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Cc: Corey Keeling (Shared Services - Staff) 
<corey.keel...@parksidecc.org.uk<mailto:corey.keel...@parksidecc.org.uk>>
Subject: Re: [PacketFence-users] Query AzureAD Device Groups

You don't often get email from oeufd...@gmail.com<mailto:oeufd...@gmail.com>. 
Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Caution: This is an external email and may be malicious. Please take care when 
clicking links or opening attachments.


If i am not wrong the Azure AD test the user and not the machine
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Authentication/Source/AzureADSource.pm#L28

Regards
Fabrice


Le mar. 31 oct. 2023 à 13:23, Corey Keeling (Shared Services - Staff) via 
PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 a écrit :
Dear community,

I have been setting up and testing out PacketFence for a number of weeks now 
and have it setup so that users can authenticate to our BYOD network using 
EAP-TLS. I also have it sort of setup to allow school azureAD devices to 
connect to our curriculum network using machine certificates. The second part 
only works if I don't set any conditions under my AzureAD authentication 
sources.

I have tried to set a condition for membership of a AzureAD group using the 
memberof option either with the Object ID of the group or it's display name, 
but it doesn't seem to work. No role gets assigned so it fails to connect. 
There doesn't even seem to be any audit log of PacketFence trying to query a 
group on the app registration end.


I know I can query the graph API via graph explorer and can find the groups my 
machine belongs too, but can PacketFence do something similar and if so, how?

The query that I used.

https://graph.microsoft.com/v1.0//devices(deviceId='{deviceid}')/memberOf<https://graph.microsoft.com/v1.0//devices(deviceId='%7B8df07f7e-d98e-4579-aa97-bfcfaaa7fe38%7D')/memberOf>

Regards


Corey Keeling | Senior IT Technician

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users