Thanks again for this explanation last week. I think we've gotten things
squared away now. Have you had any issues with Fingerbank? I've posted
questions to the list with no response yet. Our Packetfence server
seems to be hitting the Fingerbank servers rather a lot. For example, as
I type this, in the 10+ hours since the log file started, there are
already 142k lines in the fingerbank.log file. Most of the lines have
"GET /endpoint_data/<MAC address>" with what appears to be an http-style
status code of 200. If I search the log file for that MAC address, there
are already 2000 occurrences of it. Is this normal? It seems odd.
On 6/29/2018 12:07 PM, Sallee, Jake via PacketFence-users wrote:
TL;DR: The PF RADIUS server always accepts connection requests unless the node
is assigned the DENY role (or a custom equivalent).
Longer answer:
Lets assume you are using VLan enforcement (its the most common and what I am
familiar with : )
Here is the work flow for an unregistered node that PF has never seen before:
When the access request comes in to PF using the MAC as the username PF adds
the MAC to its database and ACCEPTS the connection. However PF adds a RADIUS
AVPair to the RADIUS response instructing the AP or switch (the NAS in RADIUS
parlance) to place the device in the registration VLan.
The device is now on the registration network and the user is forced to
register.
PF de-authenticates the device from the NAS.
The device interprets this loss of connection as a simple interruption and
tries to reconnect.
PF RADIUS sees the MAC, does the DB query and finds it is reg'ed, and returns
an ACCESS ACCEPT. This time the AVPair contains the VLan for the role the
client was assigned by the registration process.
and viola!
In order for the node to have access to the reg portal (and the isolation
portal) the RADIUS server still must accept the access request. If PF sent an
ACCESS DENY response the node would not be able to get on the network at all.
That is why PF accepts connections by default.
Hope that helps.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________________
From: Steve Pfister via PacketFence-users
<packetfence-users@lists.sourceforge.net>
Sent: Friday, June 29, 2018 8:59 AM
To: Sallee, Jake via PacketFence-users
Cc: Steve Pfister
Subject: Re: [PacketFence-users] Autoregistering thousand of Chromebooks
Actually, I thought the WLC was still doing the MAC filtering. It
appears to be sending an auth request to PF using the MAC address as the
username, and something obscured as the password (I'm assuming it's also
the MAC). It looks like it's getting authenticated even though no
username like that exists. Why would that be?
On 6/28/2018 12:35 PM, Sallee, Jake via PacketFence-users wrote:
Does MAC filtering really not do anything?
PF doesn't do MAC filtering by default.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwICAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=FSla4_b2Ueqpi04nein4yyBc6FMxCazAdCkS5hd_hFg&s=kdYcXA6IrMH8Dm90-76aVI-BviDli__J4zAxHTyDUfw&e=
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwICAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=FSla4_b2Ueqpi04nein4yyBc6FMxCazAdCkS5hd_hFg&s=sp-Zs2ZKlacSgWi-4JrcNtr-ZrC3tTxMD99pdM53CG0&e=
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
