Hello David,
On 30/01/2020 15:54, David Harvey via PacketFence-users wrote:
I currently have a functional setup where users get allocated their
VLANs properly regardless of if they do MAB or EAP, but I've not for
love nor money been able to work out how to discriminate between the two
effectively.
You can use two connection profiles to distinguish EAP-TLS and MAB (on
wired):
#v+
# cat profiles.conf
[eap-tls]
locale=
filter=connection_type:Ethernet-EAP,connection_sub_type:EAP-TLS
[mab]
locale=
filter=connection_type:Ethernet-NoEAP
#v-
But IIRC, handle broken EAP clients could be tricky. In fact, it's hard
to distinguish a bad configured supplicant from an unauthorized
supplicant. I'm not sure your network devices will always fallback to
MAB when you've a bad configured supplicant that receive a RADIUS reject
message (e.g. due to an expired cert). RADIUS and VLAN filters could
certainly help you.
--
Nicolas Quiniou-Briand
[email protected] :: +1.514.447.4918 *140 :: https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank (http://fingerbank.org)
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
