Hi everyone, I'm having problems configuring PF to authenticate users using 802.1X and MAC Authentication.
I have a PacketFence installed and working properly against an AD and I have configure a Cisco switch using 802.1X and MAC Authentication to authenticate users, I configured the Switch with the proper parameters (also in PF) and I have configured a Connection Profile that uses the AD Authentication Source (using filter: Connection Type: Ethernet-EAP) to match users from 802.1X authentication. The connection between the Switch and PF is working perfect and 802.1X authentication is working fine against the AD but the problem that I'm having right now is that when 802.1X fails, the PC/Device tries MAC Authentication (which is ok) and always got access to the network, PF is always permitting this access without any filter. When a PC or Device connects to the Cisco switch I want to first try to authenticate using 802.1X and, if it's doesn't have a 802.1x supplicant, I want to use MAC Authentication to access the network. But, when doing MAC Authentication I want PF to check against an 'Authorized MAC list' (that is, a list of MAC that are permitted to access the network) or something similar, and, as I described before, it's not what it's happening. How can I configure PF to stop letting access to every device using MAC Authentication and check if the MAC it's permitted in a list or something similar to let the device access? I've been searching in the Documentation and in the packetfence-users-discussion-list to find an answer but I didn't found the right one, so I decided to write here. Can someone help me with this? Is it possible to configure what I want? To add more information, I'm thinking of configuring a new Connection Profile with a filter: Connection type: WIRED_MAC_AUTH but I really don't know which Source to configure in that Profile. I think that maybe I can use a Radius authentication Source and then configure the Freeradius (the one that it;s installed with PF) to use a white list of MACs but I really don't know if it will work in this case. Could it be possible? Thanks in advance for your help, regards, Marcelo _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
