Ludovic Marcotte wrote: > On 2013-11-04 4:39 PM, Jason 'XenoPhage' Frisvold wrote: >> This doesn't feel right. Shouldn't the role for the MAC be updated >> based on the rule matching in packetfence? > No, because the opposite would be a problem - ie., dropping the device > into a privileged VLAN if MAC auth/port security is being used.
I'm having trouble wrapping my head around this. Wasn't the role listed in packetfence assigned via the rules to begin with? The user registered (captive portal or packetfence) and the rules dictated what role to use. That role is then static for that user forever? What if something changes and the user role needs to be reset? This is a manual process? > The default 'category' (read 'role') from the node table, set when node > registration is performed, will be used when MAC auth/port security is used. Sure, I get that part. There's no authentication being performed in that case, other than "HEY! I HAVE A MAC ADDRESS!" .. So it drops into whatever role the MAC is set for. And that's exactly what I'm after. So, for instance, if a user can clone a MAC and use MAB instead of 802.1x, they'll drop right into the privileged VLAN. However, if the valid user had logged out, then the machine auth would have forced a role change in packetfence and the attacker would end up in a less critical network. > Thanks, -- --------------------------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --------------------------- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
