>> VLANs come from category criteria, and are assigned only by the first 802.1X >> login. > > That is mostly true, however your VLan is evaluated on each association.
Yes; resolved with Inverse's help. The node is auto-registered by the first username to connect, but subsequent logins are recorded and VLANs *do* vary dynamically according to code in pf::vlan::custom. Open issue: 802.1X supports the concept of "outer tunnel privacy," which is widely used in eduroam federation. As shipped, PacketFence will only see, record, and supply to pf::vlan::custom the outer identity. This can be a security issue -- any local user can spoof any local username just by configuring their supplicant. The eduroam/FreeRADIUS community has solved this in at least three different ways. We are researching which is best for PacketFence. Non-local usernames, i.e., proxied connections where you don't get to see inside the EAP envelope, can never be verified and should not be used for access decisions. Only the realm is true. https://www.google.com/search?q=eduroam+inner+identity+outer+identity+freeradius ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
