Re: [PacketFence-users] Prevent MAB when 802.1x was originally used

Wed, 10 Apr 2019 23:42:17 -0700 

Hello Stuart,

WIRED_MAC_AUTH is deprecated now.

https://github.com/inverse-inc/packetfence/blob/devel/UPGRADE.asciidoc#update-connection_type-from-wired_mac_auth-to-ethernet-noeap

Regards

Fabrice


Le 19-04-09 à 16 h 57, Stuart Gendron via PacketFence-users a écrit :

Hey all,
One issue we've faced in our Mac environment is that the MAC address being used to authenticate is tied to the Ethernet adaptor. So in theory, someone could grab one from a system where the user was authorized using 802.1x credentials, plug it into their system, and then be on the network.
Searching around I found a radius_filters.conf example posted that should prevent that.
Essentially if the device was auto-registered with 802.1x credentials it'll be forced for them everytime. 

Here it is:

>     [EthernetEAP]
>     filter = connection_type
>     operator = match
>     value = Ethernet-EAP
>
>     [1:EthernetEAP]
>     scope = AutoRegister
>     role = default
>
>
>     [autoreg]
>     filter = node_info
>     attribute = autoreg
>     operator = match
>     value = yes
>
>     [ WIRED_MAC_AUTH]
>     filter = connection_type
>     operator = match
>     value = WIRED_MAC_AUTH
>
>     [2:autoreg&WIRED_MAC_AUTH]
>     scope = NormalVlan
>     action = deregister_node
>     action_param = mac = $mac
>
>     [3:autoreg&WIRED_MAC_AUTH]
>     scope = NormalVlan
>     action = modify_node
>     action_param = mac = $mac, autoreg = no
I've added this in but get :

Error building rule : condition 'WIRED_MAC_AUTH' was not found
Was wondering if there's any updated version of this ruleset as I grabbed it from an older reply. 

Thanks!

--

        *Stuart Gendron*
IT Support Specialist

*You.i Labs*
307 Legget Drive, Kanata, ON, K2K 3C8 <https://maps.google.com/?q=307+Legget+Drive,+Kanata,+ON,%C2%A0K2K+3C8&entry=gmail&source=g> 
t (613) 228-9107 x258 | c (613) 697-6853



_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to