Hello Michael,
I setup a new RADIUS filter with the following settings:
Condition:
Node_info.mac starts with xx:xx:xx (vendor part of MAC)
Merge Answer: yes
Answer:
Reply Egreess-VLANID 1
Reply Egreess-VLANID 4
Reply Egreess-VLANID 200
Replay HP-Port-MA-Port-Mode 1
The final RADIUS Reply:
REST-HTTP-Status-Code = 200
Reply-Message = "Request processed by PacketFence"
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
Egress-VLANID = 1
Egress-VLANID = 4
Egress-VLANID = 200
HP-Port-MA-Port-Mode = 1
Tunnel-Private-Group-Id = "254"
All VLAN IDs are present on the switch.
But the switch says:
Log:
02400 dca: macAuth client, RADIUS-assigned VID validation
error. MAC C8665D6E5AC0 port 5 VLAN-Id 0 or unknown.
Port-Access:
Port Access MAC-Based Status
Auths/ Unauth Untagged Tagged % In RADIUS Cntrl
Port Guests Clients VLAN VLANs Port COS Limit ACL Dir Port Mode
Johannes Mudrich
Mitarbeiter
IT
Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen
Tel.: 03907 791229
Fax.: 03907 791248
Mail: j.mudr...@altmark-klinikum.de
------ ------- ------- -------- ------ -------- ----- ------ ----- ----------
5 0/0 1 None No No No No both 1000FDx
It’s a HPE/Aruba 2510-48G (J9772A)
What did I miss?
And how do I check for registered devices only in the filter conditions?
Couldn’t find a suitable option even in the developers guide. Is there a
documentation somewhere describing all the options?
I also tried “radius_request.calling-station-id” at first. But this didn’t work
at all. So I switched to “node_info.mac”.
When I remove the Egress-VLANs from the filter, it seems to works. Just without
the tagged VLANs.
Thanks
Johannes
Von: michael.weber [mailto:michael.we...@my-chi.de]
Gesendet: Donnerstag, 23. März 2023 13:57
An: Mudrich, J. <j.mudr...@altmark-klinikum.de>
Cc: packetfence-users@lists.sourceforge.net
Betreff: Re: AW: [PacketFence-users] secure AP Uplink Ports
Let me know if you some more input. I can provide screenshots and other stuff,
that's not a problem :)
Am 23.03.2023 08:48 schrieb "Mudrich, J."
<j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>>:
Hello Michael,
THANK YOU! That sounds promising. Now I just have to understand. :D
I’ll get back to you if I have further questions.
Kind regards
Johannes
Johannes Mudrich
Mitarbeiter
IT
Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen
Tel.:
03907 791229
Fax.:
03907 791248
Mail:
j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>
Von: Michael Weber [mailto:michael.we...@my-chi.de]
Gesendet: Donnerstag, 23. März 2023 07:53
An:
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Mudrich, J.
<j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>>
Betreff: AW: [PacketFence-users] secure AP Uplink Ports
Hello Johannes Mudrich
Perhaps this idea is what you are looking for 😊
to secure our APs we do the following:
1. MAC authentication for our APs
2. Create Radius Filter Engine that matches your AP/requirements and Modify
the Reply:
Answers:
Reply:Egress-VLAN-Name - 1VLXXX-VLAN1
Reply:Egress-VLAN-Name - 1VLXXX-VLAN2
Reply:HP-Port-MA-Port-Mode - 1
Scopes
returnRadiusAccessAccept
This is working with our HP Switches and should work with every AP (if your
Radius Filter is set correct 😉 )
Idea: detect the AP in the Port, authenticate it based on your rules and modify
the the radius answer to set the allowed tagged VLANs and set the Port from
user based authentication to port based (HP-Port-MA-Port-Mode /
HPE-Port-MA-Port-Mode). That way the AP will “unlock” the switchport as long as
a link is active.
“Generally, the “Port Based” method supports one 802.1X-authenticated client on
a port, which opens the port to an unlimited number of clients.”
If someone unpluggs the AP the Port switches back to user based, and no
“unsecure” devices are allowed. Plug in the AP, the normal Authentication is
done and based on the RADIUS Filter configured before the RADIUS response will
contain the “command” to switch back to port based authentication.
WiFi Clients are automatically allowed on the switchport. You must configure
802.1x/MAC auth on the WiFi Controller/AP to authentication the WiFi clients.
I am only using HPe but other vendors should be able to switch the 802.1x
Authentication to Port-based, too.
Best Regards
Michael Weber
Von: Mudrich, J. via PacketFence-users
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Gesendet: Mittwoch, 22. März 2023 07:26
An:
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Mudrich, J.
<j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>>
Betreff: Re: [PacketFence-users] secure AP Uplink Ports
Hello Mirko,
the Problem with MAC based authentication is, that the port will be blocked as
soon as a new MAC is registered on the port. So this doesn’t work for access
point uplink ports. Especially when providing a guest SSID.
On our switches port-security only works with SNMP-traps which I didn’t want to
setup since we already configured everything for RADIUS. Also it didn’t work
with PF for some reason.
kind regards
Johannes
Von: sgiops sgiops via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Gesendet: Dienstag, 21. März 2023 15:29
An:
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: sgiops sgiops <thesgi...@gmail.com<mailto:thesgi...@gmail.com>>
Betreff: Re: [PacketFence-users] secure AP Uplink Ports
Hello Johannes,
Maybe you are describing the "port-security" functionality (this is usually a
feature provided by the switch OS). Or you can use mac address based
authentication by manually registering the node (AP).
Regards
Mirko
Il giorno mar 21 mar 2023 alle ore 15:19 Mudrich, J. via PacketFence-users
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
ha scritto:
Hello everyone,
I have another question regarding port security: Is there any way I can secure
a port on an edge switch where an access point is connected?
I’m thinking of a scenario where someone takes a ladder, pulls the cable from
an access point and connects his own device.
Maybe some mechanism like: If port comes up without APs MAC, close the port.
Thanks
Johannes
Johannes Mudrich
Mitarbeiter
IT
Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen
Tel.:
03907 791229
Fax.:
03907 791248
Mail:
j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>
[cid:image001.png@01D95D61.164AC4F0]<https://www.salusaltmarkholding.de/>
Salus Altmark Holding gGmbH
Tel.: +49 39325700
Sitz der Gesellschaft:
Seepark 5 | 39116 Magdeburg
www.salusaltmarkholding.de<https://www.salusaltmarkholding.de>
[cid:image002.png@01D95D61.164AC4F0]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.instagram.com%2fsalusaltmarkholding%2f&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-ad373ec5dbccc94ec82f17e0ec30cf2a06af4445>
[cid:image003.png@01D95D61.164AC4F0]
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.facebook.com%2fSalusAltmarkHolding&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-f35887faea570e08d5c4784d2c3d0a7f01fc396c>
[cid:image004.png@01D95D61.164AC4F0]
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fde.linkedin.com%2fcompany%2fsalus%2dggmbh&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-438da3e55fc4fc2089ba5ceb19c1b3740e0e627c>
[cid:image005.png@01D95D61.164AC4F0]
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.xing.com%2fpages%2fsalusaltmarkholdingggmbh&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-19f49f8e02c4aaa3b1c763f0a5fc5a377da1394f>
[cid:image006.png@01D95D61.164AC4F0]
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.youtube.com%2fuser%2fSALUSgGmbH&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-52911fcf4a921f402e1f47166a7761d29c0fc4eb>
Registergericht: AG Stendal: HRB 112594
Geschäftsführer: Jürgen Richter
Aufsichtsratsvorsitz: Wolfgang Beck
Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch
gespeichert werden. Nähere Informationen:
www.salusaltmarkholding.de/datenschutz<https://www.salusaltmarkholding.de/datenschutz>
Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an.
Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf.
Johannes Mudrich
Mitarbeiter
IT
Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen
Tel.:
03907 791229
Fax.:
03907 791248
Mail:
j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.sourceforge.net%2flists%2flistinfo%2fpacketfence%2dusers&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-0852dc3a501a63499af9bd1956b065734995a301
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
