TL;DR: The PF RADIUS server always accepts connection requests unless the node is assigned the DENY role (or a custom equivalent).
Longer answer: Lets assume you are using VLan enforcement (its the most common and what I am familiar with : ) Here is the work flow for an unregistered node that PF has never seen before: When the access request comes in to PF using the MAC as the username PF adds the MAC to its database and ACCEPTS the connection. However PF adds a RADIUS AVPair to the RADIUS response instructing the AP or switch (the NAS in RADIUS parlance) to place the device in the registration VLan. The device is now on the registration network and the user is forced to register. PF de-authenticates the device from the NAS. The device interprets this loss of connection as a simple interruption and tries to reconnect. PF RADIUS sees the MAC, does the DB query and finds it is reg'ed, and returns an ACCESS ACCEPT. This time the AVPair contains the VLan for the role the client was assigned by the registration process. and viola! In order for the node to have access to the reg portal (and the isolation portal) the RADIUS server still must accept the access request. If PF sent an ACCESS DENY response the node would not be able to get on the network at all. That is why PF accepts connections by default. Hope that helps. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Steve Pfister via PacketFence-users <[email protected]> Sent: Friday, June 29, 2018 8:59 AM To: Sallee, Jake via PacketFence-users Cc: Steve Pfister Subject: Re: [PacketFence-users] Autoregistering thousand of Chromebooks Actually, I thought the WLC was still doing the MAC filtering. It appears to be sending an auth request to PF using the MAC address as the username, and something obscured as the password (I'm assuming it's also the MAC). It looks like it's getting authenticated even though no username like that exists. Why would that be? On 6/28/2018 12:35 PM, Sallee, Jake via PacketFence-users wrote: >> Does MAC filtering really not do anything? > PF doesn't do MAC filtering by default. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwICAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=FSla4_b2Ueqpi04nein4yyBc6FMxCazAdCkS5hd_hFg&s=kdYcXA6IrMH8Dm90-76aVI-BviDli__J4zAxHTyDUfw&e= _______________________________________________ PacketFence-users mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwICAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=FSla4_b2Ueqpi04nein4yyBc6FMxCazAdCkS5hd_hFg&s=sp-Zs2ZKlacSgWi-4JrcNtr-ZrC3tTxMD99pdM53CG0&e= ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
