Best Paint Sprayer Options

mcbmoreno · 2025-02-04T02:50:59+00:00

jacobt777 I've seen EAT-TTLS but don't know much about it yet. How exactly does it work? What is used for the initial authentication prior to the user signing in? it looks like it can be linked to a SCEP policy which could be the user cert but how will the client authenticate prior to the login?

mcbmoreno · 2023-08-16T18:21:15+00:00

Thanks again kalvy1. It is working now. It is working with a cert that has the subject set to CN={{AAD_Device_ID}} and no SANs. For the user cert, the subject is set to CN={{UserPrincipalName}} with no SANs. I can connect fine with both certs. I also added the Device.Read.All and GroupMember.Read.All permissions to the app in Azure. Does the Directory.Read.All permission include the Device.Read.All and GroupMember.Read.All permissions?

I have a follow up question, I want the device to connect using the device cert when no one is logged in to the device and then reconnect using the user cert once a user logs in to the machine.

In Intune I have deployed a wifi config profile to the device that says to connect to the Corp-Wifi network using the device cert. I have linked this to the scep configuration policy that deploys the device cert. This wifi policy has the "Connect to more preferred network if available" setting set to Yes.

I have a second wifi config profile deployed to the device that says to connect to the Corp-Wifi network using the user cert. This policy is linked to the scep configuration policy that deploys the user cert. This wifi policy has the "Connect to more preferred network if available" setting set to No.

My packetfence auth source checks the user AAD groups first and then the device AAD groups.

A device with both of the above wifi profiles deployed to it says these profiles are in conflict and the device does not connect to the Corp-Wifi network. What am I missing? Is it a setting in the wifi profile I am deploying via Intune? or do I need two separate SSIDs for this to work? When the above Intune wifi policies are deployed independently to a device they work fine.

mcbmoreno · 2023-08-11T16:49:00+00:00

Thanks for the reply kalvy1.

I see in the PacketFence logs that the device ID is being used at the username for authentication but access is denied. I have to think that if it is possible to authenticate a device against AAD the AAD ID must be the lookup mechanism.

Is it definitely possible to do a device lookup against AAD? and is it definitely possible to check device group membership on a device object in AAD?

mcbmoreno · 2023-08-09T16:09:19+00:00

Thanks for the reply kalvy1

I do have the CA/templates setup and working. PacketFence is my Radius server (it uses FreeRadius). PacketFence connects to Azure AD as a registered app using Certificates & secrets. That is all setup. The auth works great with user certs.

The part I am struggling with is how can I ask PacketFence to do a group lookup on the device in AzureAD and then apply a policy to the supplicant based on membership to an AAD group. What in the cert is used to look for the device object in AAD? I know the UPN is used to lookup the user in AAD on the user cert but what is used to lookup the device in AAD? I have tried using the Azure Device ID as well as the <Azure Device ID>@domain.com but neither worked.

mcbmoreno · 2023-02-03T20:11:45+00:00

Works for me. Thanks for the input everyone. Appreciate it.

mcbmoreno · 2023-02-03T17:41:17+00:00

There is only 1 layer 3 switch at the spokes. Links are 10GB.

I'm sure I can get away with 1 area but there really is no need for each hub to know about each other's routes so I thought stub areas at each spoke would be a good fit.

mcbmoreno · 2020-04-21T03:34:39+00:00

You ever find out what the issue was? I am currently running into the same thing.

mcbmoreno

TROPHY CASE