Hey all, One issue we've faced in our Mac environment is that the MAC address being used to authenticate is tied to the Ethernet adaptor. So in theory, someone could grab one from a system where the user was authorized using 802.1x credentials, plug it into their system, and then be on the network.
Searching around I found a radius_filters.conf example posted that should prevent that. Essentially if the device was auto-registered with 802.1x credentials it'll be forced for them everytime. Here it is: > [EthernetEAP] > filter = connection_type > operator = match > value = Ethernet-EAP > > [1:EthernetEAP] > scope = AutoRegister > role = default > > > [autoreg] > filter = node_info > attribute = autoreg > operator = match > value = yes > > [ WIRED_MAC_AUTH] > filter = connection_type > operator = match > value = WIRED_MAC_AUTH > > [2:autoreg&WIRED_MAC_AUTH] > scope = NormalVlan > action = deregister_node > action_param = mac = $mac > > [3:autoreg&WIRED_MAC_AUTH] > scope = NormalVlan > action = modify_node > action_param = mac = $mac, autoreg = no I've added this in but get : Error building rule : condition 'WIRED_MAC_AUTH' was not found Was wondering if there's any updated version of this ruleset as I grabbed it from an older reply. Thanks! -- *Stuart Gendron* IT Support Specialist *You.i Labs* 307 Legget Drive, Kanata, ON, K2K 3C8 <https://maps.google.com/?q=307+Legget+Drive,+Kanata,+ON,%C2%A0K2K+3C8&entry=gmail&source=g> t (613) 228-9107 x258 | c (613) 697-6853
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
