Nicolas, to give you some extra information I have configured the Switch in PF and I have configured a Registration VLAN, but this VLAN doesn't exist in the Switch. In the configuration of this Network Device I haven't configured SNMP and CLI credentials because I don't want that PF modify the switch configuration. I'd configured the "default VLAN" equal to the one that the switch has in it's ports (Cisco command: switchport access vlan XX).
regards, Marcelo > On Oct 9, 2018, at 15:36, Marcelo Pepe <[email protected]> wrote: > > Hello Nicolas, > > Thanks for your last answer, I think I understand how PF works but I still > have the doubt if it's possible to configure PF in the following way when > connecting a new device to a Switch that is already configured and in > production in PF: > > 1 - the device tries 802.1X > 2 - if it fails authenticate using 802.1X or the device doesn't have a > supplicant, then tries MAC authentication (the Switch is already configured > to do MAC Auth fallback) > 3 - PF doesn't give access to that device by MAC Authentication Bypass (that > is, put the node in the unregistered state) unless the device it's permitted > by PF by a mechanism (I would like to use a MAC White List) and in that case > change the state to registered. > > Could it be possible to configure this? > > Thanks, > regards, > Marcelo > > > >> On Oct 3, 2018, at 15:04, Nicolas Quiniou-Briand <[email protected]> wrote: >> >> Hello Marcelo, >> >> On 2018-10-02 01:02 PM, Marcelo Pepe wrote: >>> I have create a Radius "Blackhole" Source (I didn't know which type >>> of Source should I configure) and associated that source to the >>> default Connection Profile as you told me, but it didn't work, PF is >>> permitting every MAC, without any filter (as before), I obviously >>> doing something wrong. How can I resolve this situation? >> >> To understand what PF do, run following command before you plug a device >> on your switch: >> >> ``` >> tailf /usr/local/pf/logs/packetfence.log | grep MAC_OF_YOUR_DEVICE >> ``` >> >> With this, you will see all messages related to your device. >> >>> And when this is configured, how could I do to permit some MACs (from >>> a MAC white list)? >> >> You have to understand one thing: the goal of PF is to register nodes. >> Nodes can have two states: unregistered/registered, you can check node >> states in Nodes tab. >> >> In a default configuration: >> >> If you plug a device, already registered by PF, on a port that do MAC Auth, >> PF will allow network access to that device. >> >> If this device haven't been registered before, PF will try to put it in a >> registration VLAN depending of the configuration of network device from >> where the RADIUS request came. >> >> Hope that helps. >> -- >> Nicolas Quiniou-Briand >> [email protected] :: +1.514.447.4918 *140 :: https://inverse.ca >> Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence >> (https://packetfence.org) and Fingerbank (http://fingerbank.org) > _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
