Hello Robert,
to answer this question, i need the packetfence.log
Regards
Fabrice
Le 21-02-10 à 20 h 19, Robert McNutt a écrit :
I actually set this up this way also but the vlan filter still returns
a radius accept to the switch even though it’s sending a REJECT. Is
there any way for this method to not send the radius accept but
instead a radius Reject?
On Wed, Feb 10, 2021 at 7:47 PM Durand fabrice via PacketFence-users
<[email protected]
<mailto:[email protected]>> wrote:
Hello Robert,
it's more a vlan filter that you have to do.
[RejectUnauthorizedRoleMAB]
run_actions=enabled
status=enabled
top_op=and
description=RejectUnauthorizedRoleMAB
scopes=RegisteredRole
role=REJECT
condition=connection_type == "Ethernet-NoEAP" &&
!((node_info.category == "gaming" || node_info.category == "guest"))
Regards
Fabrice
Le 21-02-09 à 17 h 00, Robert McNutt via PacketFence-users a écrit :
Still struggling with this logic which I think should be simple.
We're trying to setup a radius filter to only allow MAB for
devices with a specific role... for example IP phones and
Printers. We have an issue where Macintoshes and Some PC's just
default to MAB and they get access to their trusted VLAN. This
seem to defeat the purpose of NAC but it seems like there should
be a way to only allow 802.1X for some devices and only MAB for
others.
Has anyone else run into this or have any ideas to not fall back
to MAB for some devices?
Robert McNutt
On Thu, Apr 23, 2020 at 7:55 AM Ludovic Zammit
<[email protected] <mailto:[email protected]>> wrote:
Hello Robert,
A fix has been done yesterday regarding the connection type:
https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0
Apply the maintenance branche and check if it fixes it.
/usr/local/pf/addons/pf-maint.pl <http://pf-maint.pl>
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
On Apr 22, 2020, at 3:58 PM, Robert McNutt via
PacketFence-users <[email protected]
<mailto:[email protected]>> wrote:
I'm trying to set a radius filter to block mac auth for any
devices assigned to roles that should only auth via PEAP or
EAP-TLS...
For example, if a port has a phone and computer plugged in,
the phone will do mac auth but the computer should never get
a radius accept for mac auth... whats happening by default
is if a computer fails dot1x auth it then falls back to mac
auth and PF accepts it because the node was registered...
this is what I'm trying to prevent...
I set up a radius filter as such:
connection_type == "Ethernet-NoEAP" && (node_info.category
== "CORP-LAN" || node_info.category == "ADMIN-LAN")
It never matches... But if I change the logic to be NOT
Ethernet-EAP, everything matches, EAP and not EAP... it
seems as if the connection_type isn't actually being read by
the filter parsing... Am I missing something?
Robert McNutt
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Robert McNutt
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
