Hello Victor,
Le 2018-08-02 à 21:45, Victor Hooi via PacketFence-users a écrit :
Hi Durand,
Ah right - so you're saying most of the configuration happens on the
switch-side then? (In terms of timeout, and then falling back).
yes exactly
Ubiquiti Unifi switches don't seem to make this too easy (they don't
expose it in the management GUI) - and Arista doesn't mention anything
about it at all in their docs about MAC bypass, or any kind of
timeouts -
https://www.arista.com/assets/data/pdf/user-manual/um-eos/Chapters/802.1x%20Port%20Security.pdf.
Is it possible these switch simply don't support it?
yes it's completely possible that the switch doesn't support it. A long
time ago i did some test with ubiquiti switches and i was just able to
do port security with PacketFence.
Btw it looks that ubiquiti start to support mac-auth with vlan
enforcement and 802.1x on the wireless controller so maybe the support
will be available soon.
For Arista i never used this switches but you can maybe contact the
support to see if they support it.
That means though, on the Packetfence side - we should have RADIUS
entries for both the username/password users we want, as well as the
MAC devices (MAC address in both username/password field), right?
No really, for 802.1x you need to have an authentication source that
validate the user and password (freeradius part), like join the server
to a windows domain or have local packetfence user (cf doc).
For mac-auth PacketFence will always return access-accept but return the
registration vlan if the device is unreg or a production vlan if the
device is reg.
This explain exactly how it works:
https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Installation_Guide.asciidoc#wireless-8021x--mac-authentication
Regards
Fabrice
Regards,
Victor
On Fri, Aug 3, 2018 at 11:19 AM Durand fabrice via PacketFence-users
<[email protected]
<mailto:[email protected]>> wrote:
Hello Victor,
there is no need to do special configuration to support mac auth
in PacketFence, it works as is.
On the other side the switch must support 802.1x with mac-auth
bypass, it mean that the switch will wait for 802.1x auth and if
it time out then it will do mac-auth.
Hope it will help.
Regards
Fabrice
Le 2018-08-01 à 22:47, Victor Hooi via PacketFence-users a écrit :
Hi,
/This is a follow-up question to
https://sourceforge.net/p/packetfence/mailman/message/36366809//
I'm looking at setting up 802.1x for some wired switches (Unifi
switches). However, not all the clients have RADIUS
(username/password) support - so it seems I need some kind of
MAC-address bypass to handle those clients.
The FreeRadius wiki mentions this one:
https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x
Is there an easy way to set this up from within PacketFence?
I saw it mentioned in passing in the docs under 9.2.2 VLAN
assignment
(https://packetfence.org/doc/PacketFence_Installation_Guide.html#_technical_introduction_to_out_of_band_enforcement),
but it's not clear how to actually enable this MAC authentication
on PacketFence?
Has anybody had experience setting this up with Unifi switches?
What config do you need to do on the PacketFence side?
Thanks,
Victor
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
