I actually set this up this way also but the vlan filter still returns a radius accept to the switch even though it’s sending a REJECT. Is there any way for this method to not send the radius accept but instead a radius Reject?
On Wed, Feb 10, 2021 at 7:47 PM Durand fabrice via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hello Robert, > > it's more a vlan filter that you have to do. > > [RejectUnauthorizedRoleMAB] > run_actions=enabled > status=enabled > top_op=and > description=RejectUnauthorizedRoleMAB > scopes=RegisteredRole > role=REJECT > condition=connection_type == "Ethernet-NoEAP" && !((node_info.category == > "gaming" || node_info.category == "guest")) > > Regards > > Fabrice > > > Le 21-02-09 à 17 h 00, Robert McNutt via PacketFence-users a écrit : > > Still struggling with this logic which I think should be simple. > > We're trying to setup a radius filter to only allow MAB for devices with a > specific role... for example IP phones and Printers. We have an issue where > Macintoshes and Some PC's just default to MAB and they get access to their > trusted VLAN. This seem to defeat the purpose of NAC but it seems like > there should be a way to only allow 802.1X for some devices and only MAB > for others. > > Has anyone else run into this or have any ideas to not fall back to MAB > for some devices? > Robert McNutt > > > On Thu, Apr 23, 2020 at 7:55 AM Ludovic Zammit <lzam...@inverse.ca> wrote: > >> Hello Robert, >> >> A fix has been done yesterday regarding the connection type: >> >> >> https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0 >> >> Apply the maintenance branche and check if it fixes it. >> >> /usr/local/pf/addons/pf-maint.pl >> >> Thanks, >> >> Ludovic zammitlzam...@inverse.ca :: +1.514.447.4918 (x145) :: >> www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> On Apr 22, 2020, at 3:58 PM, Robert McNutt via PacketFence-users < >> packetfence-users@lists.sourceforge.net> wrote: >> >> I'm trying to set a radius filter to block mac auth for any devices >> assigned to roles that should only auth via PEAP or EAP-TLS... >> >> For example, if a port has a phone and computer plugged in, the phone >> will do mac auth but the computer should never get a radius accept for mac >> auth... whats happening by default is if a computer fails dot1x auth it >> then falls back to mac auth and PF accepts it because the node was >> registered... this is what I'm trying to prevent... >> >> I set up a radius filter as such: >> >> connection_type == "Ethernet-NoEAP" && (node_info.category == "CORP-LAN" >> || node_info.category == "ADMIN-LAN") >> >> It never matches... But if I change the logic to be NOT Ethernet-EAP, >> everything matches, EAP and not EAP... it seems as if the connection_type >> isn't actually being read by the filter parsing... Am I missing something? >> >> >> Robert McNutt >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> > > _______________________________________________ > PacketFence-users mailing > listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Robert McNutt
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users