For the time being, VLAN2 simply serves as an isolation VLAN. The workstations should not access anything from this VLAN.
________________________________ De : Ludovic Zammit <lzam...@inverse.ca> Envoyé : jeudi, 8 avril 2021 13:33 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net Objet : Re: VLAN for rejected machine What’s the VLAN 2 and his purpose? Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 8, 2021, at 1:38 AM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: The devices are, for example, laptops that are not part of the domain. I want them to enter VLAN2, but I don't know them in advance. Where do I specify that I want them to be in VLAN2, without their login failing with my AD source? What I've tried to do so far is to create a second Authorization source, and a new profile that uses that source. I don't know if this is correct. <pastedImage.png> <pastedImage.png> Thanks ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : mercredi, 7 avril 2021 13:53:40 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine With Mac authentication, you will need to pre-import your Mac address if you know them, create a VLAN filter that automatically a MAC OUI for example or you redirect the on the captive portal to give them an option to register themselves. In your case, if you don’t know them, you return a VLAN 2 (don’t forget to return VLAN 2 in the registration role in the switch configuration) and they will never get a role and registered. They will end up having access on VLAN 2. What are those devices ? Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 7, 2021, at 1:25 AM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: Ok, I enabled mac authentication, but now here are my radius logs once I connect the node to the switch: Apr 7 07:19:51 TPI-PF1 auth[1944]: Adding client 192.168.137.200/32 Apr 7 07:19:51 TPI-PF1 auth[1944]: [mac:98:e7:f4:14:44:f0] Accepted user: and returned VLAN Apr 7 07:19:51 TPI-PF1 auth[1944]: (3879) Login OK: [98e7f41444f0] (from client 192.168.137.200/32 port 19 cli 98:e7:f4:14:44:f0) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] handling radius autz request: from switch_ip => (192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => (00:16:b9:0b:37:0d), mac => [98:e7:f4:14:44:f0], port => 19, username => "98e7f41444f0" (pf::radius::authorize) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Match rule Email-on-role (pf::access_filter::test) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Found authentication source(s) : 'local,file1,MonDomaine' for realm 'null' (pf::config::util::filter_authentication_sources) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: [mac:98:e7:f4:14:44:f0] No category computed for autoreg (pf::role::getNodeInfoForAutoReg) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Match rule Email-on-role (pf::access_filter::test) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.webservices: httpd.webservices(1790) WARN: [mac:98:e7:f4:14:44:f0] Unable to pull accounting history for device 98:e7:f4:14:44:f0. The history set doesn't exist yet. (pf::accounting_events_history::latest_mac_history) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Found authentication source(s) : 'local,file1,MonDomaine' for realm 'null' (pf::config::util::filter_authentication_sources) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: [mac:98:e7:f4:14:44:f0] Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. (pf::role::getRegisteredRole) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Username was NOT defined or unable to match a role - returning node based role '' (pf::role::getRegisteredRole) I tried to create a new connection profile, but the result is the same. Any ideas? Thanks ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : mardi, 6 avril 2021 19:48 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine You can’t because if those not joined machines connect over 802.1x they will fail and stay there. What you want to do is 802.1x + Mac authentication bypass (MAB) on the switch port. A none corporate machine should do MAB and land on the captive portal and authenticate. If you want to skip that part, you can put VLAN ID 2 in the registration role on the switch so everyone that do Mac authentication would be redirected on VLAN 2. Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 6, 2021, at 1:33 PM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: Hello I have an authentication source that gives the role VLAN1 to the corporate machines. <pastedImage.png> <pastedImage.png> Now I want to give to the non-corporate machines the role VLAN2. However, I can't assign a role to a node that can't login to the source. Adding client 10.104.92.130/32 Apr 6 19:11:06 packetfence auth[19459]: (195) chrooted_mschap_machine: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' Apr 6 19:11:06 packetfence auth[19459]: (195) Login incorrect (chrooted_mschap_machine: Program returned code (1) and output 'Logon failure (0xc000006d)'): [host/client.tpi.local] (from client 10.104.92.130/32 port 21 cli 2c:44:fd:65:ab:27 via TLS tunnel) Apr 6 19:11:06 packetfence auth[19459]: [mac:2c:44:fd:65:ab:27] Rejected user: host/client.tpi.local Apr 6 19:11:06 packetfence auth[19459]: (196) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [host/client.tpi.local] (from client 10.104.92.130/32 port 21 cli 2c:44:fd:65:ab:27) A client that are not in the domain will have a login incorrect. But how can I say that every client out of the domain will move to the VLAN2 role ? Thank you for your reply.
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
