Thank you for this explanation... it wasn't quite clicking for me and I
think I understand now.
On 6/29/2018 12:07 PM, Sallee, Jake via PacketFence-users wrote:
TL;DR: The PF RADIUS server always accepts connection requests unless the node
is assigned the DENY role (or a custom equivalent).
Longer answer:
Lets assume you are using VLan enforcement (its the most common and what I am
familiar with : )
Here is the work flow for an unregistered node that PF has never seen before:
When the access request comes in to PF using the MAC as the username PF adds
the MAC to its database and ACCEPTS the connection. However PF adds a RADIUS
AVPair to the RADIUS response instructing the AP or switch (the NAS in RADIUS
parlance) to place the device in the registration VLan.
The device is now on the registration network and the user is forced to
register.
PF de-authenticates the device from the NAS.
The device interprets this loss of connection as a simple interruption and
tries to reconnect.
PF RADIUS sees the MAC, does the DB query and finds it is reg'ed, and returns
an ACCESS ACCEPT. This time the AVPair contains the VLan for the role the
client was assigned by the registration process.
and viola!
In order for the node to have access to the reg portal (and the isolation
portal) the RADIUS server still must accept the access request. If PF sent an
ACCESS DENY response the node would not be able to get on the network at all.
That is why PF accepts connections by default.
Hope that helps.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________________
From: Steve Pfister via PacketFence-users
<[email protected]>
Sent: Friday, June 29, 2018 8:59 AM
To: Sallee, Jake via PacketFence-users
Cc: Steve Pfister
Subject: Re: [PacketFence-users] Autoregistering thousand of Chromebooks
Actually, I thought the WLC was still doing the MAC filtering. It
appears to be sending an auth request to PF using the MAC address as the
username, and something obscured as the password (I'm assuming it's also
the MAC). It looks like it's getting authenticated even though no
username like that exists. Why would that be?
On 6/28/2018 12:35 PM, Sallee, Jake via PacketFence-users wrote:
Does MAC filtering really not do anything?
PF doesn't do MAC filtering by default.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwICAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=FSla4_b2Ueqpi04nein4yyBc6FMxCazAdCkS5hd_hFg&s=kdYcXA6IrMH8Dm90-76aVI-BviDli__J4zAxHTyDUfw&e=
_______________________________________________
PacketFence-users mailing list
[email protected]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwICAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=FSla4_b2Ueqpi04nein4yyBc6FMxCazAdCkS5hd_hFg&s=sp-Zs2ZKlacSgWi-4JrcNtr-ZrC3tTxMD99pdM53CG0&e=
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
