Hello Nicolas, Thanks for your last answer, I think I understand how PF works but I still have the doubt if it's possible to configure PF in the following way when connecting a new device to a Switch that is already configured and in production in PF:
1 - the device tries 802.1X 2 - if it fails authenticate using 802.1X or the device doesn't have a supplicant, then tries MAC authentication (the Switch is already configured to do MAC Auth fallback) 3 - PF doesn't give access to that device by MAC Authentication Bypass (that is, put the node in the unregistered state) unless the device it's permitted by PF by a mechanism (I would like to use a MAC White List) and in that case change the state to registered. Could it be possible to configure this? Thanks, regards, Marcelo > On Oct 3, 2018, at 15:04, Nicolas Quiniou-Briand <[email protected]> wrote: > > Hello Marcelo, > > On 2018-10-02 01:02 PM, Marcelo Pepe wrote: >> I have create a Radius "Blackhole" Source (I didn't know which type >> of Source should I configure) and associated that source to the >> default Connection Profile as you told me, but it didn't work, PF is >> permitting every MAC, without any filter (as before), I obviously >> doing something wrong. How can I resolve this situation? > > To understand what PF do, run following command before you plug a device > on your switch: > > ``` > tailf /usr/local/pf/logs/packetfence.log | grep MAC_OF_YOUR_DEVICE > ``` > > With this, you will see all messages related to your device. > >> And when this is configured, how could I do to permit some MACs (from >> a MAC white list)? > > You have to understand one thing: the goal of PF is to register nodes. > Nodes can have two states: unregistered/registered, you can check node states > in Nodes tab. > > In a default configuration: > > If you plug a device, already registered by PF, on a port that do MAC Auth, > PF will allow network access to that device. > > If this device haven't been registered before, PF will try to put it in a > registration VLAN depending of the configuration of network device from where > the RADIUS request came. > > Hope that helps. > -- > Nicolas Quiniou-Briand > [email protected] :: +1.514.447.4918 *140 :: https://inverse.ca > Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence > (https://packetfence.org) and Fingerbank (http://fingerbank.org) _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
