Re: [PacketFence-users] SoH bypass for non-MS devices

[Morris, Andi]

To follow this up, I believe I may have solved it, but I thought I'd run it by 
the list just in case I've opened up any potential risks.

I have edited /usr/local/pf/raddb/sites-available/packetfence-soh and added in 
a section to authorize devices that NAK the SoH request, as follows:

server soh-server {
        authorize {
                if (SoH-Supported == no) {
                        # client NAKed our request for SoH - not supported, or 
turned off
                        update config {
                                Auth-Type = Accept
                        }
                }
                else {
                packetfence-soh
                update config {
                    Auth-Type = Accept
                }
                }
        }
}

This seems to work for me, I have now authenticated with an Apple device, and 
an Android, whilst still being posture checked on my Windows laptop. I imagine 
that if I went in and manually disabled the EAP enforcement client on my 
Windows laptop then it will then bypass the SoH, but for the majority of my 
users I don't imagine that this will ever come up.

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 30 July 2013 09:31
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] SoH bypass for non-MS devices

Hi all,
I'm looking (again) to implement the FreeRadius SoH module into my environment 
and although it works very well for Ms devices, any other device that connects 
to the network fails Radius authentication.

Does anybody know a way that I can bypass the SoH check for Apple/Android/other 
devices? Presumably something with freeradius virtual servers, which I'm not 
too familiar with, but I'd be happy to have a play around in a dev environment.

Cheers,
Andi

-------------------------------------
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--------------------------------------


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users