Hello Robert,
it's more a vlan filter that you have to do.
[RejectUnauthorizedRoleMAB]
run_actions=enabled
status=enabled
top_op=and
description=RejectUnauthorizedRoleMAB
scopes=RegisteredRole
role=REJECT
condition=connection_type == "Ethernet-NoEAP" && !((node_info.category
== "gaming" || node_info.category == "guest"))
Regards
Fabrice
Le 21-02-09 à 17 h 00, Robert McNutt via PacketFence-users a écrit :
Still struggling with this logic which I think should be simple.
We're trying to setup a radius filter to only allow MAB for devices
with a specific role... for example IP phones and Printers. We have an
issue where Macintoshes and Some PC's just default to MAB and they get
access to their trusted VLAN. This seem to defeat the purpose of NAC
but it seems like there should be a way to only allow 802.1X for some
devices and only MAB for others.
Has anyone else run into this or have any ideas to not fall back to
MAB for some devices?
Robert McNutt
On Thu, Apr 23, 2020 at 7:55 AM Ludovic Zammit <[email protected]
<mailto:[email protected]>> wrote:
Hello Robert,
A fix has been done yesterday regarding the connection type:
https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0
Apply the maintenance branche and check if it fixes it.
/usr/local/pf/addons/pf-maint.pl <http://pf-maint.pl>
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Apr 22, 2020, at 3:58 PM, Robert McNutt via PacketFence-users
<[email protected]
<mailto:[email protected]>> wrote:
I'm trying to set a radius filter to block mac auth for any
devices assigned to roles that should only auth via PEAP or
EAP-TLS...
For example, if a port has a phone and computer plugged in, the
phone will do mac auth but the computer should never get a radius
accept for mac auth... whats happening by default is if a
computer fails dot1x auth it then falls back to mac auth and PF
accepts it because the node was registered... this is what I'm
trying to prevent...
I set up a radius filter as such:
connection_type == "Ethernet-NoEAP" && (node_info.category ==
"CORP-LAN" || node_info.category == "ADMIN-LAN")
It never matches... But if I change the logic to be NOT
Ethernet-EAP, everything matches, EAP and not EAP... it seems as
if the connection_type isn't actually being read by the filter
parsing... Am I missing something?
Robert McNutt
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
