Still struggling with this logic which I think should be simple. We're trying to setup a radius filter to only allow MAB for devices with a specific role... for example IP phones and Printers. We have an issue where Macintoshes and Some PC's just default to MAB and they get access to their trusted VLAN. This seem to defeat the purpose of NAC but it seems like there should be a way to only allow 802.1X for some devices and only MAB for others.
Has anyone else run into this or have any ideas to not fall back to MAB for some devices? Robert McNutt On Thu, Apr 23, 2020 at 7:55 AM Ludovic Zammit <[email protected]> wrote: > Hello Robert, > > A fix has been done yesterday regarding the connection type: > > > https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0 > > Apply the maintenance branche and check if it fixes it. > > /usr/local/pf/addons/pf-maint.pl > > Thanks, > > > Ludovic [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > On Apr 22, 2020, at 3:58 PM, Robert McNutt via PacketFence-users < > [email protected]> wrote: > > I'm trying to set a radius filter to block mac auth for any devices > assigned to roles that should only auth via PEAP or EAP-TLS... > > For example, if a port has a phone and computer plugged in, the phone will > do mac auth but the computer should never get a radius accept for mac > auth... whats happening by default is if a computer fails dot1x auth it > then falls back to mac auth and PF accepts it because the node was > registered... this is what I'm trying to prevent... > > I set up a radius filter as such: > > connection_type == "Ethernet-NoEAP" && (node_info.category == "CORP-LAN" > || node_info.category == "ADMIN-LAN") > > It never matches... But if I change the logic to be NOT Ethernet-EAP, > everything matches, EAP and not EAP... it seems as if the connection_type > isn't actually being read by the filter parsing... Am I missing something? > > > Robert McNutt > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
