Hello Tim,
hi all,

we do use Juniper EX3200 Switches here and I would like to discuss a security 
issue in your example conf for Juniper in the documentation referenced by your 
posting below:

your doc suggests the option „mac radius“ to be activated. I would rather NOT 
suggest that, because:
MAC Authentication is subject to spoofing attacks, which one exactly wants to 
get rid of by using 802.1x.
It is exactly the wrong way to activate the mac radius option, as in this case 
a juniper switch would use simple mac radius as a fallback, if 802.1x would 
fail, which is exactly what you would NOT want to have, if you want to be sure 
NOT to be vulnerable to mac spoofing attacks.

So is there a reason you suggest that option for i didn get?

Bye,
Holger

PS:
A additional personal hint: using interface ranges in the „protocols / dot1x / 
interface“ config did not work with our switches, we had to explicitly name the 
interfaces there.


Von: Timothy Mullican via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Gesendet: Donnerstag, 1. Februar 2018 18:11
An: packetfence-users@lists.sourceforge.net
Cc: Timothy Mullican <tjmullic...@yahoo.com>; Frederic Hermann 
<frederic.herm...@neptune.fr>
Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band

By the way,
Fabrice Durand already added code to do this in pull request #2735 on github. 
See 
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
You can apply that patch to get it working. Also see 
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
 for the updated documentation. You can read though my earlier thread to see 
the steps I took to get it working.

Tim
Sent from mobile phone

On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
This has been a fantastic resource for the thread I recently started (sorry for 
the repetition in it)
I would add:
I've added kick-sta to replace both the authorize and unauthorize guest 
commands in Unifi.pm

It transpired my in house cert was upsetting things until I updated ca certs on 
the debian container I'm using. The symptom was the following in 
packetfence.log:
before:
Can't login on the Unifi controller: 500 Can't connect to 
10.100.103.33:8443<http://10.100.103.33:8443> (certificate verify failed) 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
after:
Switched status on the Unifi controller using command kick-sta 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)

After this the kick events come through and I get a brief drop in packets 
whilst pinging.  I'm still fighting the final issue - which is increasing the 
duration of the kick, or ensuring a full re-auth occurs, as currently the 
device I'm testing with drops packets, but remains on the same VLAN still until 
the device is toggled.

Thanks for the guidance and let me know if you face/overcame anything similar.

Cheers,

David


On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
> De: "Michael Westergaard via PacketFence-users" 
> <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Hi Michael,


> I am trying to see if Packetfence is a proper way to do NAC with Unifi UAP-AC
> with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is 
> using
> for authenticating users over wireless and then changing the VLAN.

> However I cannot find any documentation anywhere if this is possible in
> Packetfence Documentation?

> Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody 
> been
> able to make it work?

We made some test a few weeks ago, and we've been able to manage an Unifi 
controler using Radius mode ( rather than the Portal mode described in 
PacketFence documentation).

This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that 
dynamic VLAN are only available in secure mode on unifi.

The only change we had to do (on the packetfence side) was


That means you have to configure your AP type as "Unifi Controller" in 
packetfence, and set the Deauth method to "HTTPS", instead of Radius.
Of course you will also define the unifi controller IP in the same location.
Then you will have to edit (or override) the Unifi.pm module to change the 
webservice command used to auth/deauth users : this is in the 
"_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi 
command through the webservice, instead of the 
"authorize-guest/unauthorise-guest".

Hope this help,

Regards

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to