On 2013-11-05 3:08 PM, Jason Frisvold wrote: > I'm having trouble wrapping my head around this. Wasn't the role listed > in packetfence assigned via the rules to begin with? The user > registered (captive portal or packetfence) and the rules dictated what > role to use. That role is then static for that user forever? What if > something changes and the user role needs to be reset? This is a manual > process? When the device is registered, it gets a role. That role is stored in the node table. That role, that could be called 'registration role', is used when there's no EAP (ie., MAC authentication/port security/link up,down).
When EAP is being used, the role is dynamically computed from authentication sources from the information provided in the EAP messages, and returned over RADIUS. The 'registration role' is NOT updated with the computed role. Say you use a student PC to connect over a secured SSID (EAP-PEAP) and we update the 'registration role' to 'admin IT', and you're dropped into VLAN 666 where you're empowered by network gods. Now you give back the laptop to the student and he connects to your open SSID. He'll end up in VLAN 666 and toy around with the devil himself - while he should be calm like a sheep in the student VLAN, got when he first plugged in his device... Ludovic -- Ludovic Marcotte lmarco...@inverse.ca :: +1.514.755.3630 :: http://inverse.ca Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
