Eugene:

You should use the IP address of your AP instead of the MAC address. The 
pictures are available at:

https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png

https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png

https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png

My thread probably has more in depth images though.

—
Holger:

You are correct that MAC auth is vulnerable to attack. I believe PacketFence 
can detect a host name change as one mitigation and trigger a violation. 
Another mitigation is to put your network behind 802.1x or WPA2. I have to auth 
people against G Suite, so I can’t currently use 802.1x (Oauth). For the guest 
network, spoofing isn’t as much of an issue since it’s separated from my 
corporate lan. I would start a separate thread for this though.

Sent from mobile phone

> On Feb 2, 2018, at 03:15, <holger.patz...@t-systems.com> 
> <holger.patz...@t-systems.com> wrote:
> 
> Hello Tim,
> hi all,
>  
> we do use Juniper EX3200 Switches here and I would like to discuss a security 
> issue in your example conf for Juniper in the documentation referenced by 
> your posting below:
>  
> your doc suggests the option „mac radius“ to be activated. I would rather NOT 
> suggest that, because:
> MAC Authentication is subject to spoofing attacks, which one exactly wants to 
> get rid of by using 802.1x.
> It is exactly the wrong way to activate the mac radius option, as in this 
> case a juniper switch would use simple mac radius as a fallback, if 802.1x 
> would fail, which is exactly what you would NOT want to have, if you want to 
> be sure NOT to be vulnerable to mac spoofing attacks.
>  
> So is there a reason you suggest that option for i didn get?
>  
> Bye,
> Holger
>  
> PS:
> A additional personal hint: using interface ranges in the „protocols / dot1x 
> / interface“ config did not work with our switches, we had to explicitly name 
> the interfaces there.
>  
>  
> Von: Timothy Mullican via PacketFence-users 
> [mailto:packetfence-users@lists.sourceforge.net] 
> Gesendet: Donnerstag, 1. Februar 2018 18:11
> An: packetfence-users@lists.sourceforge.net
> Cc: Timothy Mullican <tjmullic...@yahoo.com>; Frederic Hermann 
> <frederic.herm...@neptune.fr>
> Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
>  
> By the way,
> Fabrice Durand already added code to do this in pull request #2735 on github. 
> See 
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
> You can apply that patch to get it working. Also see 
> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
>  for the updated documentation. You can read though my earlier thread to see 
> the steps I took to get it working. 
>  
> Tim
> 
> Sent from mobile phone
> 
> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users 
> <packetfence-users@lists.sourceforge.net> wrote:
> 
> This has been a fantastic resource for the thread I recently started (sorry 
> for the repetition in it)
> I would add:
> I've added kick-sta to replace both the authorize and unauthorize guest 
> commands in Unifi.pm
>  
> It transpired my in house cert was upsetting things until I updated ca certs 
> on the debian container I'm using. The symptom was the following in 
> packetfence.log:
> before:
> Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443 
> (certificate verify failed) 
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
> after:
> Switched status on the Unifi controller using command kick-sta 
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>  
> After this the kick events come through and I get a brief drop in packets 
> whilst pinging.  I'm still fighting the final issue - which is increasing the 
> duration of the kick, or ensuring a full re-auth occurs, as currently the 
> device I'm testing with drops packets, but remains on the same VLAN still 
> until the device is toggled. 
>  
> Thanks for the guidance and let me know if you face/overcame anything similar.
>  
> Cheers,
>  
> David
>  
>  
> On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users 
> <packetfence-users@lists.sourceforge.net> wrote:
> > De: "Michael Westergaard via PacketFence-users" 
> > <packetfence-users@lists.sourceforge.net>
> Hi Michael,
> 
> 
> > I am trying to see if Packetfence is a proper way to do NAC with Unifi 
> > UAP-AC
> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is 
> > using
> > for authenticating users over wireless and then changing the VLAN.
> 
> > However I cannot find any documentation anywhere if this is possible in
> > Packetfence Documentation?
> 
> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody 
> > been
> > able to make it work?
> 
> We made some test a few weeks ago, and we've been able to manage an Unifi 
> controler using Radius mode ( rather than the Portal mode described in 
> PacketFence documentation).
> 
> This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that 
> dynamic VLAN are only available in secure mode on unifi.
> 
> The only change we had to do (on the packetfence side) was
> 
> 
> That means you have to configure your AP type as "Unifi Controller" in 
> packetfence, and set the Deauth method to "HTTPS", instead of Radius.
> Of course you will also define the unifi controller IP in the same location.
> Then you will have to edit (or override) the Unifi.pm module to change the 
> webservice command used to auth/deauth users : this is in the 
> "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi 
> command through the webservice, instead of the 
> "authorize-guest/unauthorise-guest".
> 
> Hope this help,
> 
> Regards
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>  
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to