Eugene:
You should use the IP address of your AP instead of the MAC address. The
pictures are available at:
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-open.png
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-radius.png
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/images/unifi-secure.png
My thread probably has more in depth images though.
—
Holger:
You are correct that MAC auth is vulnerable to attack. I believe PacketFence
can detect a host name change as one mitigation and trigger a violation.
Another mitigation is to put your network behind 802.1x or WPA2. I have to auth
people against G Suite, so I can’t currently use 802.1x (Oauth). For the guest
network, spoofing isn’t as much of an issue since it’s separated from my
corporate lan. I would start a separate thread for this though.
Sent from mobile phone
> On Feb 2, 2018, at 03:15, <[email protected]>
> <[email protected]> wrote:
>
> Hello Tim,
> hi all,
>
> we do use Juniper EX3200 Switches here and I would like to discuss a security
> issue in your example conf for Juniper in the documentation referenced by
> your posting below:
>
> your doc suggests the option „mac radius“ to be activated. I would rather NOT
> suggest that, because:
> MAC Authentication is subject to spoofing attacks, which one exactly wants to
> get rid of by using 802.1x.
> It is exactly the wrong way to activate the mac radius option, as in this
> case a juniper switch would use simple mac radius as a fallback, if 802.1x
> would fail, which is exactly what you would NOT want to have, if you want to
> be sure NOT to be vulnerable to mac spoofing attacks.
>
> So is there a reason you suggest that option for i didn get?
>
> Bye,
> Holger
>
> PS:
> A additional personal hint: using interface ranges in the „protocols / dot1x
> / interface“ config did not work with our switches, we had to explicitly name
> the interfaces there.
>
>
> Von: Timothy Mullican via PacketFence-users
> [mailto:[email protected]]
> Gesendet: Donnerstag, 1. Februar 2018 18:11
> An: [email protected]
> Cc: Timothy Mullican <[email protected]>; Frederic Hermann
> <[email protected]>
> Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
>
> By the way,
> Fabrice Durand already added code to do this in pull request #2735 on github.
> See
> https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
> You can apply that patch to get it working. Also see
> https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
> for the updated documentation. You can read though my earlier thread to see
> the steps I took to get it working.
>
> Tim
>
> Sent from mobile phone
>
> On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users
> <[email protected]> wrote:
>
> This has been a fantastic resource for the thread I recently started (sorry
> for the repetition in it)
> I would add:
> I've added kick-sta to replace both the authorize and unauthorize guest
> commands in Unifi.pm
>
> It transpired my in house cert was upsetting things until I updated ca certs
> on the debian container I'm using. The symptom was the following in
> packetfence.log:
> before:
> Can't login on the Unifi controller: 500 Can't connect to 10.100.103.33:8443
> (certificate verify failed)
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
> after:
> Switched status on the Unifi controller using command kick-sta
> (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
>
> After this the kick events come through and I get a brief drop in packets
> whilst pinging. I'm still fighting the final issue - which is increasing the
> duration of the kick, or ensuring a full re-auth occurs, as currently the
> device I'm testing with drops packets, but remains on the same VLAN still
> until the device is toggled.
>
> Thanks for the guidance and let me know if you face/overcame anything similar.
>
> Cheers,
>
> David
>
>
> On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users
> <[email protected]> wrote:
> > De: "Michael Westergaard via PacketFence-users"
> > <[email protected]>
> Hi Michael,
>
>
> > I am trying to see if Packetfence is a proper way to do NAC with Unifi
> > UAP-AC
> > with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> > Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is
> > using
> > for authenticating users over wireless and then changing the VLAN.
>
> > However I cannot find any documentation anywhere if this is possible in
> > Packetfence Documentation?
>
> > Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody
> > been
> > able to make it work?
>
> We made some test a few weeks ago, and we've been able to manage an Unifi
> controler using Radius mode ( rather than the Portal mode described in
> PacketFence documentation).
>
> This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that
> dynamic VLAN are only available in secure mode on unifi.
>
> The only change we had to do (on the packetfence side) was
>
>
> That means you have to configure your AP type as "Unifi Controller" in
> packetfence, and set the Deauth method to "HTTPS", instead of Radius.
> Of course you will also define the unifi controller IP in the same location.
> Then you will have to edit (or override) the Unifi.pm module to change the
> webservice command used to auth/deauth users : this is in the
> "_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi
> command through the webservice, instead of the
> "authorize-guest/unauthorise-guest".
>
> Hope this help,
>
> Regards
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
