Hello Johannes Mudrich
Perhaps this idea is what you are looking for đ to secure our APs we do the following: 1. MAC authentication for our APs 2. Create Radius Filter Engine that matches your AP/requirements and Modify the Reply: Answers: Reply:Egress-VLAN-Name - 1VLXXX-VLAN1 Reply:Egress-VLAN-Name - 1VLXXX-VLAN2 Reply:HP-Port-MA-Port-Mode - 1 Scopes returnRadiusAccessAccept This is working with our HP Switches and should work with every AP (if your Radius Filter is set correct đ ) Idea: detect the AP in the Port, authenticate it based on your rules and modify the the radius answer to set the allowed tagged VLANs and set the Port from user based authentication to port based (HP-Port-MA-Port-Mode / HPE-Port-MA-Port-Mode). That way the AP will âunlockâ the switchport as long as a link is active. âGenerally, the âPort Basedâ method supports one 802.1X-authenticated client on a port, which opens the port to an unlimited number of clients.â If someone unpluggs the AP the Port switches back to user based, and no âunsecureâ devices are allowed. Plug in the AP, the normal Authentication is done and based on the RADIUS Filter configured before the RADIUS response will contain the âcommandâ to switch back to port based authentication. WiFi Clients are automatically allowed on the switchport. You must configure 802.1x/MAC auth on the WiFi Controller/AP to authentication the WiFi clients. I am only using HPe but other vendors should be able to switch the 802.1x Authentication to Port-based, too. Best Regards Michael Weber Von: Mudrich, J. via PacketFence-users <packetfence-users@lists.sourceforge.net> Gesendet: Mittwoch, 22. März 2023 07:26 An: packetfence-users@lists.sourceforge.net Cc: Mudrich, J. <j.mudr...@altmark-klinikum.de> Betreff: Re: [PacketFence-users] secure AP Uplink Ports Hello Mirko, the Problem with MAC based authentication is, that the port will be blocked as soon as a new MAC is registered on the port. So this doesnât work for access point uplink ports. Especially when providing a guest SSID. On our switches port-security only works with SNMP-traps which I didnât want to setup since we already configured everything for RADIUS. Also it didnât work with PF for some reason. kind regards Johannes Von: sgiops sgiops via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net] Gesendet: Dienstag, 21. März 2023 15:29 An: packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Cc: sgiops sgiops <thesgi...@gmail.com <mailto:thesgi...@gmail.com> > Betreff: Re: [PacketFence-users] secure AP Uplink Ports Hello Johannes, Maybe you are describing the "port-security" functionality (this is usually a feature provided by the switch OS). Or you can use mac address based authentication by manually registering the node (AP). Regards Mirko Il giorno mar 21 mar 2023 alle ore 15:19 Mudrich, J. via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> > ha scritto: Hello everyone, I have another question regarding port security: Is there any way I can secure a port on an edge switch where an access point is connected? Iâm thinking of a scenario where someone takes a ladder, pulls the cable from an access point and connects his own device. Maybe some mechanism like: If port comes up without APs MAC, close the port. Thanks Johannes Johannes Mudrich Mitarbeiter IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-StraĂe 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de <mailto:j.mudr...@altmark-klinikum.de> <https://www.salusaltmarkholding.de/> Salus Altmark Holding gGmbH Tel.: +49 39325700 Sitz der Gesellschaft: Seepark 5 | 39116 Magdeburg www.salusaltmarkholding.de <https://www.salusaltmarkholding.de> <https://ddei5-0-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.instagram.com%2fsalusaltmarkholding%2f&umid=3CF0AC84-F76A-6F05-AAB6-D044C268AEC9&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-9c4cb3cc5754ad7d3c19375dc56180c90663df02> <https://ddei5-0-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.facebook.com%2fSalusAltmarkHolding&umid=3CF0AC84-F76A-6F05-AAB6-D044C268AEC9&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-94b113c669b923f122928a3b697c28e619f67d84> <https://ddei5-0-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fde.linkedin.com%2fcompany%2fsalus%2dggmbh&umid=3CF0AC84-F76A-6F05-AAB6-D044C268AEC9&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-88a3912231459f27cbeebb25e7d6c7fc62f6013f> <https://ddei5-0-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.xing.com%2fpages%2fsalusaltmarkholdingggmbh&umid=3CF0AC84-F76A-6F05-AAB6-D044C268AEC9&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-c0d6fa5f20e2540d37641fc443bac2bd5342f651> <https://ddei5-0-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.youtube.com%2fuser%2fSALUSgGmbH&umid=3CF0AC84-F76A-6F05-AAB6-D044C268AEC9&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-149ebbdfd8626f661631135120cb9183dfda904d> Registergericht: AG Stendal: HRB 112594 GeschäftsfĂźhrer: JĂźrgen Richter Aufsichtsratsvorsitz: Wolfgang Beck Gemäà Art. 13 DSGVO informieren wir darĂźber, dass Ihre Daten elektronisch gespeichert werden. Nähere Informationen: www.salusaltmarkholding.de/datenschutz <https://www.salusaltmarkholding.de/datenschutz> Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an. Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf. Johannes Mudrich Mitarbeiter IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-StraĂe 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de <mailto:j.mudr...@altmark-klinikum.de> _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.sourceforge.net%2flists%2flistinfo%2fpacketfence%2dusers <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.sourceforge.net%2flists%2flistinfo%2fpacketfence%2dusers&umid=3CF0AC84-F76A-6F05-AAB6-D044C268AEC9&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-c1238e678fd3db716d0cc997ac2603f9046712c2> &umid=3CF0AC84-F76A-6F05-AAB6-D044C268AEC9&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-c1238e678fd3db716d0cc997ac2603f9046712c2
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
