search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.38k stars 289 forks source link

InTune Provisioner checks WIFI Mac Address only #6000

Open derelict opened 3 years ago

derelict commented 3 years ago

Is your feature request related to a problem? Please describe. Yes. The Intune Provisioner only checks against the wifimacaddress on the intune device object. Therefore validation for Ethernet Devices (Notebooks with Ethernet Connection) can not get validated

Describe the solution you'd like Check wifi and/or ethernet mac address depending on the connection type.

Describe alternatives you've considered Alternatively check both mac addresses if connection type can not be taken into account at that time.

Additional context none

julsemaan commented 3 years ago

We'll need to have a test setup to be able to do this, not sure if @fdurand has something we can use.

fdurand commented 3 years ago

I forgot to pay the 1000$ Azure licence to manage my unique user. If you have the attribute that contain the wire mac address then it will help.

julsemaan commented 3 years ago

I forgot to pay the 1000$ Azure licence to manage my unique user.

But like don't you work at Inverse? Should have the cash-money to pay for that

Isn't that @lzammit on the left by any chance ? image

derelict commented 3 years ago

Seems like this is not part of the v1.0 API yet ...

But Beta does provide this:

https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/api-reference/beta/api/intune-devices-windowsmanageddevice-get.md

but a quick test (again i maybe know 0.5% perl ;-) ) seemed like the api returns "null" for ethernetMacAddress :

Nov 25 15:46:52 nac packetfence_httpd.portal: httpd.portal(32076) ERROR: [mac:nn:nn:nn:nn:nn] Got error code {"@odata.context":"https://graph.microsoft.com/beta/$metadata#deviceManagement/managedDevices(ethernetMacAddress,complianceState)","@odata.count":1,"value":[{"ethernetMacAddress":null,"complianceState":"noncompliant"}]} when contacting the Graph API. Here's the response body : (pf::provisioner::intune::decode_response)

julsemaan commented 3 years ago

I created a patch that will read the ethernet MAC if its there (while keeping in mind that it might not be there if its only in the BETA API)

Apply it using:

cd /usr/local/pf/
curl https://github.com/inverse-inc/packetfence/compare/feature/intune-ethernet-mac.diff | patch -p1
/usr/local/bin/pfcmd service pf restart

If the field is there, it will use it, otherwise it won't do more than what it does today.

Let me know how it goes

julsemaan commented 3 years ago

Did this patch work ? If so I'd like to integrate it into our code

derelict commented 3 years ago

give me some time to check it ;-)

are you "sure" that the v1.0 API does provide the ethernetMacAddress at all ? (See my Post above)

julsemaan commented 3 years ago

I'm not but if its there then it will work. Since I don't have access to Intune, using you as a guinea pig is pretty much my only option :)