XIoT onboarding support

[mmaymann]

I suggest we add support for XIoT devices onboarding (Network devices, EUD, Printers, Conference equipment, Locks, Cameras, Sensors, OT/ICS, etc)

• FDO (FIDO Device Onboard) delivers ZeroTouch XIoT onboarding.
• Akri handles dynamic leaf devices.

Wished PacketFence ZeroTrust XIoT onboarding functionality:

1. ZeroTouch FDO (integrating and managing the FDO Rendezvous service)
2. Semiautomatic Akri (integrating and managing the Akri service)
3. Manually via existing CaptivePortal(HTTPS), MQTT/SSH or other mechanism

I have requested MUD (Manufacturer Usage Description) support in FDO:
fido-device-onboard/release-fidoiot#28
This could be used to set a default/editable VLAN ACL for each XIoT device type as described below

Initial thought functionality (disclaimer: Unfortunately, I am neither a security specialist nor a professional programmer):
...
SwitchPort: enabled + FDO VLAN + port security=1 mac | WLC: Captive portal + FDO VLAN​
ThingOnboard ()​
if FDO-Thing=no; then (Onboard: semi=Akri | self-registration=CaptivePortal: Guest, BYOD, XIoT)​
if Thing==Akri; then​
AkriEnrol() && exit​
fi​
if Access==WLC; then​
if Thing==Guest; then​
VLAN=Guest && exit​
elif Thing==BYOD; then​
VLAN=BYOD && exit​
fi​
fi​
if Thing==XIoT; then​
VLAN=ThingType (MUD ACL) && exit​
fi​
elif FDO=unenroled; then​
FDOEnrol() && ReserveIP && exit​
elif FDO=enroled; then
VLAN=ThingType (MUD ACL)​
elif ThingCert=invalid; then​
Portscan, log (switchport|AP, mac, ip, hostname) and alert && exit​
fi​
...

https://fidoalliance.org/intro-to-fido-device-onboard | https://www.lfedge.org/projects/fidodeviceonboard
https://docs.akri.sh | https://github.com/project-akri/akri