07-15-2024 07:34 AM
I am attempting to implement this in my home lab. Has anyone done this?
Basically the situation where if a device connects to the network, it should have a certificate installed from my CA. If it does not, then a security policy (or other policy) should deny the device network traffic.
Some articles suggest the use of GlobalProtect but I do not have this license. Can anyone confirm that it is otherwise possible?
07-15-2024 09:01 AM
Kind of the wrong tool for the job really. If you wanted to do something like this you would want to utilize 802.1X authentication on your LAN which would look at the device's machine certificate to validate authentication. This is relatively easily setup assuming that you manage the clients.
In the event that they fail authentication you could do what you wanted to with them. That could be isolating the unauthenticated clients to a different VLAN so that they're isolated away from your authenticated clients and just given internet access, or just dropping the clients completely and not letting them send anything.
You could also go the other route and setup something like PacketFence if you wanted to go the NAC route so you could make exceptions a little easier depending on your requirements. Using native 802.1X you can also setup MAB exceptions for clients that can't authenticate for some reason, but PacketFence gives you more fine-grain control over things.
If you are stuck on only using the firewall you could make a _somewhat_ similar experience using captive portals and authentication rules, but I'm personally not really a fan of this method. It's something the firewall can do, but it's a bit like pounding a square peg into a round hole. With enough force you can make anything work.
07-15-2024 07:53 AM
You would want to utilize GlobalProtect for this, you don't need a license unless you want to use it on mobile devices (linux falls under this requirement as well). If this is a LAB licensed unit you should have all of the applicable licenses if you have an active LAB license bundle. I would definitely look into a LAB device with active subscriptions if you're just running a home lab environment; the cost is nominal to keep everything active.
07-15-2024 08:53 AM
Hi, thanks for responding. I was hoping to achieve something without GlobalProtect because as I'd understand it the clients would need to install the globalprotect software.
The scenario I am trying to implement is where unmanaged devices attempt to connect to the network. Of course my intent to use certificates may not be the best way to achieve this protection but I live and learn 🙂
07-15-2024 09:01 AM
Kind of the wrong tool for the job really. If you wanted to do something like this you would want to utilize 802.1X authentication on your LAN which would look at the device's machine certificate to validate authentication. This is relatively easily setup assuming that you manage the clients.
In the event that they fail authentication you could do what you wanted to with them. That could be isolating the unauthenticated clients to a different VLAN so that they're isolated away from your authenticated clients and just given internet access, or just dropping the clients completely and not letting them send anything.
You could also go the other route and setup something like PacketFence if you wanted to go the NAC route so you could make exceptions a little easier depending on your requirements. Using native 802.1X you can also setup MAB exceptions for clients that can't authenticate for some reason, but PacketFence gives you more fine-grain control over things.
If you are stuck on only using the firewall you could make a _somewhat_ similar experience using captive portals and authentication rules, but I'm personally not really a fan of this method. It's something the firewall can do, but it's a bit like pounding a square peg into a round hole. With enough force you can make anything work.
07-15-2024 12:31 PM
Really(!!) appreciate the lengthy reply. One more question if you have any more time. What *would* be the correct tool? Are we talking a layer 3 hardware switch? I wasn't 100% on what you meant in the first paragraph in terms of enforcing/preventing network access where the certificate was not present on a device.
(For info, I have a working PKI in place - just trying to get a proof of concept together using whatever tools I can scrape together for free and spun up in a VM - will look at Packetfence, very interesting)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
