Thank you Louis
I will check the proxy config. Could you please detail what do you mean by the
outer identity ?Will the PF see that for example the user is auth or not and
could it react and put the port into Registration or isolation vlan ?
Thank youAdrian
From: "[email protected]"
<[email protected]>
To: [email protected]
Sent: Tuesday, March 3, 2015 5:35 PM
Subject: PacketFence-users Digest, Vol 83, Issue 4
Send PacketFence-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of PacketFence-users digest..."
Today's Topics:
1. Re: PF and external radius for AD 802.1x auth (Louis Munro)
2. Re: Port-Security and Violations Bug (Sallee, Jake)
3. Re: Port-Security and Violations Bug (Sallee, Jake)
----------------------------------------------------------------------
Message: 1
Date: Tue, 3 Mar 2015 09:38:03 -0500
From: Louis Munro <[email protected]>
Subject: Re: [PacketFence-users] PF and external radius for AD 802.1x
auth
To: [email protected]
Message-ID: <[email protected]>
Content-Type: text/plain; charset="windows-1252"
On Mar 3, 2015, at 5:04 , Calugaru Adrian <[email protected]> wrote:
> Hi guys,
>
> I'm new to this great software and after a week browsing for different
> deployment and configuration I couldn't find anything about using an external
> Radius server for the 802.1x authentication.
>
> Do you know if it's possible to integrate the PF with MS NPS (Radius) or
> forward the auth request to the external radius ?
>
Hi Adrian,
Yes it?s possible.
It?s only a matter of configuring FreeRADIUS to proxy to your NPS server.
Check out /usr/local/pf/raddb/proxy.conf for an example proxying configuration.
Be advised that if you are proxying PEAP (as you likely will) then PacketFence
will not have access to the inner tunnel and will have to make authentication
decisions based on the outer identity, which is not authenticated.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Tue, 3 Mar 2015 15:31:55 +0000
From: "Sallee, Jake" <[email protected]>
Subject: Re: [PacketFence-users] Port-Security and Violations Bug
To: "[email protected]"
<[email protected]>
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="iso-8859-1"
> We all know that MAC address security is not foolproof...
THIS! So much of this!
It is very important that anyone using any kind of MAC based auth mechanism to
understand that MAC auth is NOT secure. It is a useful tool, but it is not
secure.
MAC auth is useful and can, and should, be deployed in certain circumstances.
However if your requirements contain security MAC auth is off the table. It is
just too easy to spoof a MAC address.
There are ways to mitigate MAC spoofing though, but they are not fool proof and
can cause trouble if not deployed carefully.
Also, to the original posters comments, why are you using SNMP based auth when
the switch supports MAB and 802.1x?
See here:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cisco.com_c_en_us_td_docs_switches_lan_catalyst3560_software_release_12-2D2-5F55-5Fse_configuration_guide_3560-5Fscg_sw8021x.html&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=Nk9hcrKfW1jQbNQL0rZtjw-LUOC3Sfekrc-DJ0bFn0M&e=
With MAB you do need to assign a fake mac to a port and it can not then be read
by someone like you described.
MAB is much better than SNMP auth, but it is still not acceptable for high
security or sensitive environments.
In short, the issue you are seeing is not a flaw in PF or any other product.
It is a the result of using an authentication mechanism that was never designed
with security in mind.
Try using MAB and doing the same trick with your slackware box, it should not
work.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: Rosario Ippolito [[email protected]]
Sent: Tuesday, March 03, 2015 8:32 AM
To: [email protected]
Subject: Re: [PacketFence-users] Port-Security and Violations Bug
Hello Arthur,
thanks for your help.
I have sent the proof that PF puts the bogus MAC address back onto the port
once a client disconnects.. so, I wonder if I have configured in wrong way my
port-security...
I have configured port-security on the switches following the Network Devices
Configurations, and this is my switch.conf file:
[192.168.1.9]
RoleMap=N
mode=production
cliUser=PF
AccessListMap=N
description=Catalyst_3560G
type=Cisco::Catalyst_3560G
cliPwd=xxxxxxx
VoIPEnabled=N
cliEnablePwd=xxxxxxxxx
defaultVlan=1
deauthMethod=SNMP
StudentVlan=80
radiusSecret=testing123
StaffVlan=10
[192.168.1.10]
RoleMap=N
mode=production
StudentVlan=80
AccessListMap=N
description=Catalyst_3750
type=Cisco::Catalyst_3750
VoIPEnabled=N
deauthMethod=SNMP
defaultVlan=1
radiusSecret=testing123
StaffVlan=10
Thanks a lot for your time..
Regards,
Rosario Ippolito
2015-03-03 15:07 GMT+01:00 Arthur Emerson
<[email protected]<mailto:[email protected]>>:
On my PF 3.6 setup with wired Cisco switch ports, I do not believe
that PF puts the bogus MAC address back onto the port once a client
disconnects. If the same client that was connected powers on again,
the port is already set. If a new client is connected, the MAC
address doesn't match and it sends a trap to PF. At least this is
the way it appears to be working for me?
We all know that MAC address security is not foolproof, so my $0.02
(rounded down to zero in Canada?) is that you shouldn't be using MAB
on your network if you are worried about someone booting up Slackware
and probing a port to find a MAC address to spoof...
-Arthur
-------------------------------------------------------------------------
Arthur Emerson III Email:
[email protected]<mailto:[email protected]>
Network Administrator InterNIC: AE81
Mount Saint Mary College MaBell: (845) 561-0800 Ext.
3109<tel:%28845%29%20561-0800%20Ext.%203109>
330 Powell Ave. Fax: (845)
562-6762<tel:%28845%29%20562-6762>
Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11
From: Rosario Ippolito
<[email protected]<mailto:[email protected]>>
Reply-To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Date: Tuesday, March 3, 2015 at 3:56 AM
To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: [PacketFence-users] Port-Security and Violations Bug
Hello all,
I'm sorry to write again about this problem, but I thinks it is relevant.
I have configured PacketFence (ver 4.6) with Port-Security in a cisco switch
catalyst 3560g, and when I plug a device it works fine, that is, sending snmp
traps and setting the correct vlan after authentication. When I disconnect the
device, the switch port is setted with the bogus MAC address, but the vlan on
the switch port is not modified. It would be more accurate if the switch port
were set with the registrations vlan or MAC address detections vlan, is not it?
Because with a Slackware OS, that is silent, if I connect the device to the
port and sniff traffic, I see the cdp packets, and I discover the switch port
where I am connected. So, I know that PacketFence uses the bogus mac, then I
look the Guide, I read the bogus MAC and I set it in my Slackware device. The
Mac address is secure by configuration ..so .. I'm in the vlan that was setted
before, receiving a IP address by DHCP, or simply sniffing traffic in that vlan.
When do this.. I note that in the "Location" section of the node in Nodes (from
web interface) there is nothing! That is, PacketFence can't see that there is a
node connected that doing traffic.. so, even if I try to configure a violation
by MAC address in violations.conf, and the violation is detected, nothing is
done!
There is some output from log file:
###########################
packetfence.log
(The moment in which I have disconnected the device and is not setted the
registrations or MAC address detections vlan)
Feb 26 18:24:34 pfsetvlan(5) INFO: Will try to check on this node's previous
switch if secured entry needs to be removed. Old Switch IP: 192.168.1.9
(main::do_port_security)
Feb 26 18:24:34 pfsetvlan(5) INFO: de-authorizing xx:xx:xx:xx:xx:xx (new entry
02:00:00:01:01:08) at old location 192.168.1.9 ifIndex 10108
(main::do_port_security)
Feb 26 18:24:34 pfsetvlan(8) INFO: secureMacAddrViolation trap already in the
queue for 192.168.1.9 ifIndex 10113. Won't add another one
(main::signalHandlerTrapListQueued)
##############################
violation.log
2015-03-02 18:57:32: MAC bogus OUI (1100022) detected on node 02:00:00:01:01:07
(0)
2015-03-02 18:57:32: MAC bogus gi0/7 (1100023) detected on node
02:00:00:01:01:07 (0)
##############################
And this is my violations.conf
[1100022]
desc=MAC bogus OUI
template=banned_devices
trigger=VENDORMAC::131072
actions=trap,log,role
enabled=Y
auto_enable=N
target_category=Student
max_enable=0
[1100023]
desc=MAC bogus gi0/7
template=banned_devices
trigger=MAC::2199023321351
actions=trap,log,role
enabled=Y
auto_enable=N
target_category=Student
I also attach the picture of the configuration of the switch port after the
device disconnect.. (gi0/11)
Sorry again for my poor english..
Can anyone help me about this issue?
Thanks in advanced for any help..
Kind Regards,
Rosario Ippolito
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now.
https://urldefense.proofpoint.com/v2/url?u=http-3A__goparallel.sourceforge.net_&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=06HO3hxOnj91s8utVRIEco3xEqixp_csRSdbjeuC7Ss&e=
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=87dNtnuH92XEAPJDadYRgYBTXyzFgb7mF5dDACa1ofw&e=
------------------------------
Message: 3
Date: Tue, 3 Mar 2015 15:35:16 +0000
From: "Sallee, Jake" <[email protected]>
Subject: Re: [PacketFence-users] Port-Security and Violations Bug
To: "[email protected]"
<[email protected]>
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="us-ascii"
Dang it, made a typo.
> With MAB you do need to assign a fake mac to a port and it can not then be
> read by someone like you described.
Should be
With MAB you do NOT need to assign a fake mac to a port and it can not then be
read by someone like you described.
Carry on.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________________
From: Sallee, Jake [[email protected]]
Sent: Tuesday, March 03, 2015 9:31 AM
To: [email protected]
Subject: Re: [PacketFence-users] Port-Security and Violations Bug
> We all know that MAC address security is not foolproof...
THIS! So much of this!
It is very important that anyone using any kind of MAC based auth mechanism to
understand that MAC auth is NOT secure. It is a useful tool, but it is not
secure.
MAC auth is useful and can, and should, be deployed in certain circumstances.
However if your requirements contain security MAC auth is off the table. It is
just too easy to spoof a MAC address.
There are ways to mitigate MAC spoofing though, but they are not fool proof and
can cause trouble if not deployed carefully.
Also, to the original posters comments, why are you using SNMP based auth when
the switch supports MAB and 802.1x?
See here:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cisco.com_c_en_us_td_docs_switches_lan_catalyst3560_software_release_12-2D2-5F55-5Fse_configuration_guide_3560-5Fscg_sw8021x.html&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=Nk9hcrKfW1jQbNQL0rZtjw-LUOC3Sfekrc-DJ0bFn0M&e=
With MAB you do need to assign a fake mac to a port and it can not then be read
by someone like you described.
MAB is much better than SNMP auth, but it is still not acceptable for high
security or sensitive environments.
In short, the issue you are seeing is not a flaw in PF or any other product.
It is a the result of using an authentication mechanism that was never designed
with security in mind.
Try using MAB and doing the same trick with your slackware box, it should not
work.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: Rosario Ippolito [[email protected]]
Sent: Tuesday, March 03, 2015 8:32 AM
To: [email protected]
Subject: Re: [PacketFence-users] Port-Security and Violations Bug
Hello Arthur,
thanks for your help.
I have sent the proof that PF puts the bogus MAC address back onto the port
once a client disconnects.. so, I wonder if I have configured in wrong way my
port-security...
I have configured port-security on the switches following the Network Devices
Configurations, and this is my switch.conf file:
[192.168.1.9]
RoleMap=N
mode=production
cliUser=PF
AccessListMap=N
description=Catalyst_3560G
type=Cisco::Catalyst_3560G
cliPwd=xxxxxxx
VoIPEnabled=N
cliEnablePwd=xxxxxxxxx
defaultVlan=1
deauthMethod=SNMP
StudentVlan=80
radiusSecret=testing123
StaffVlan=10
[192.168.1.10]
RoleMap=N
mode=production
StudentVlan=80
AccessListMap=N
description=Catalyst_3750
type=Cisco::Catalyst_3750
VoIPEnabled=N
deauthMethod=SNMP
defaultVlan=1
radiusSecret=testing123
StaffVlan=10
Thanks a lot for your time..
Regards,
Rosario Ippolito
2015-03-03 15:07 GMT+01:00 Arthur Emerson
<[email protected]<mailto:[email protected]>>:
On my PF 3.6 setup with wired Cisco switch ports, I do not believe
that PF puts the bogus MAC address back onto the port once a client
disconnects. If the same client that was connected powers on again,
the port is already set. If a new client is connected, the MAC
address doesn't match and it sends a trap to PF. At least this is
the way it appears to be working for me?
We all know that MAC address security is not foolproof, so my $0.02
(rounded down to zero in Canada?) is that you shouldn't be using MAB
on your network if you are worried about someone booting up Slackware
and probing a port to find a MAC address to spoof...
-Arthur
-------------------------------------------------------------------------
Arthur Emerson III Email:
[email protected]<mailto:[email protected]>
Network Administrator InterNIC: AE81
Mount Saint Mary College MaBell: (845) 561-0800 Ext.
3109<tel:%28845%29%20561-0800%20Ext.%203109>
330 Powell Ave. Fax: (845)
562-6762<tel:%28845%29%20562-6762>
Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11
From: Rosario Ippolito
<[email protected]<mailto:[email protected]>>
Reply-To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Date: Tuesday, March 3, 2015 at 3:56 AM
To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: [PacketFence-users] Port-Security and Violations Bug
Hello all,
I'm sorry to write again about this problem, but I thinks it is relevant.
I have configured PacketFence (ver 4.6) with Port-Security in a cisco switch
catalyst 3560g, and when I plug a device it works fine, that is, sending snmp
traps and setting the correct vlan after authentication. When I disconnect the
device, the switch port is setted with the bogus MAC address, but the vlan on
the switch port is not modified. It would be more accurate if the switch port
were set with the registrations vlan or MAC address detections vlan, is not it?
Because with a Slackware OS, that is silent, if I connect the device to the
port and sniff traffic, I see the cdp packets, and I discover the switch port
where I am connected. So, I know that PacketFence uses the bogus mac, then I
look the Guide, I read the bogus MAC and I set it in my Slackware device. The
Mac address is secure by configuration ..so .. I'm in the vlan that was setted
before, receiving a IP address by DHCP, or simply sniffing traffic in that vlan.
When do this.. I note that in the "Location" section of the node in Nodes (from
web interface) there is nothing! That is, PacketFence can't see that there is a
node connected that doing traffic.. so, even if I try to configure a violation
by MAC address in violations.conf, and the violation is detected, nothing is
done!
There is some output from log file:
###########################
packetfence.log
(The moment in which I have disconnected the device and is not setted the
registrations or MAC address detections vlan)
Feb 26 18:24:34 pfsetvlan(5) INFO: Will try to check on this node's previous
switch if secured entry needs to be removed. Old Switch IP: 192.168.1.9
(main::do_port_security)
Feb 26 18:24:34 pfsetvlan(5) INFO: de-authorizing xx:xx:xx:xx:xx:xx (new entry
02:00:00:01:01:08) at old location 192.168.1.9 ifIndex 10108
(main::do_port_security)
Feb 26 18:24:34 pfsetvlan(8) INFO: secureMacAddrViolation trap already in the
queue for 192.168.1.9 ifIndex 10113. Won't add another one
(main::signalHandlerTrapListQueued)
##############################
violation.log
2015-03-02 18:57:32: MAC bogus OUI (1100022) detected on node 02:00:00:01:01:07
(0)
2015-03-02 18:57:32: MAC bogus gi0/7 (1100023) detected on node
02:00:00:01:01:07 (0)
##############################
And this is my violations.conf
[1100022]
desc=MAC bogus OUI
template=banned_devices
trigger=VENDORMAC::131072
actions=trap,log,role
enabled=Y
auto_enable=N
target_category=Student
max_enable=0
[1100023]
desc=MAC bogus gi0/7
template=banned_devices
trigger=MAC::2199023321351
actions=trap,log,role
enabled=Y
auto_enable=N
target_category=Student
I also attach the picture of the configuration of the switch port after the
device disconnect.. (gi0/11)
Sorry again for my poor english..
Can anyone help me about this issue?
Thanks in advanced for any help..
Kind Regards,
Rosario Ippolito
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now.
https://urldefense.proofpoint.com/v2/url?u=http-3A__goparallel.sourceforge.net_&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=06HO3hxOnj91s8utVRIEco3xEqixp_csRSdbjeuC7Ss&e=
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=87dNtnuH92XEAPJDadYRgYBTXyzFgb7mF5dDACa1ofw&e=
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now.
https://urldefense.proofpoint.com/v2/url?u=http-3A__goparallel.sourceforge.net_&d=BQIFAg&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=rrfusK1CYpexkDC0NfScET_CeTE0wmo9aWHRQg3IXWY&s=1-Gw2ujAsgApkNTFxLYz-1Lus5z15NTBA6xSSbLGXXw&e=
_______________________________________________
PacketFence-users mailing list
[email protected]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=BQIFAg&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=rrfusK1CYpexkDC0NfScET_CeTE0wmo9aWHRQg3IXWY&s=aKMBu0XEO5CVRcNL7e4UiqJy3MsXfUP4WRxLTOWQDf0&e=
------------------------------
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
End of PacketFence-users Digest, Vol 83, Issue 4
************************************************
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
