Ok, but I don't want the guests to be able to register and access the network, I just don't want them to access anything, I just want them to be in vlan2. I don't know these guests in advance, it could be someone outside the company who plugs their computer into a switch for example. I want them to enter vlan2, isolated.
Thank you very much for all your answers. ________________________________ De : Ludovic Zammit <lzam...@inverse.ca> Envoyé : vendredi, 9 avril 2021 14:47 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net Objet : Re: VLAN for rejected machine The sources are displayed on the captive portal with the registration VLAN. No registration VLAN, no captive portal, no guest registration. If you want your guests to get connected on the network, you will need to import all the Mac address in PacketFence using a CSV import under Node. Yes they will use Mac authentication. Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 9, 2021, at 8:43 AM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: Thank you very much for these explanations. As I understand, I still need to create an authentication source for guests using mac authentication, they are not automatically put in the registration VLAN if they are not authenticated with 802.1X ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : vendredi, 9 avril 2021 14:34 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine Ok, let me show a basic workflow for Wireless and it work almost the same for wired authentication: Here is the diagram showing the interaction between PacketFence, the endpoint, the AP and the WLAN controller: <Mail Attachment.png> 1. User initiates association to WLAN AP and transmits MAC address. If user accesses network via a registered device in PacketFence go to 8 2. The WLAN controller transmits MAC address via RADIUS to the PacketFence server to authenticate/authorize that MAC address on the AP 3. PacketFence server conducts address audit in its database. If it does not recognize the MAC address go to 4. If it does go to 8. 4. PacketFence server directs WLAN controller via RADIUS (RFC2868 attributes) to put the device in an "unauthenticated role“ (set of ACLs that would limit/redirect the user to the PacketFence captive portal for registration, or we can also use a registration VLAN in which PacketFence does DNS blackholing and is the DHCP server) 5. The user's device issues a DHCP/DNS request to PacketFence (which is a DHCP/DNS server on this VLAN or for this role) which sends the IP and DNS information. At this point, ACLs are limiting/redirecting the user to the PacketFence's captive portal for authentication. PacketFence fingerprints the device (user-agent attributes, DHCP information & MAC address patterns) to which it can take various actions including: keep device on registration portal, direct to alternate captive portal, auto-register the device, auto-block the device, etc. If the device remains on the registration portal the user registers by providing the information (username/password, cell phone number, etc.). At this time PacketFence could also require the device to go through a posture assessment (using Nessus, OpenVAS, etc.) 6. If authentication is required (username/password) through a login form, those credentials are validated via the Directory server (or any other authentication sources - like LDAP, SQL, RADIUS, SMS, Facebook, Google+, etc.) which provides user attributes to PacketFence which creates user+device policy profile in its database. 7. PacketFence performs a Change of Authorization (RFC3576) on the controller and the user must be re-authenticated/reauthorized, so we go back to 1 8. PacketFence server directs WLAN controller via RADIUS to put the device in an "authenticated role“, or in the "normal” VLAN Then in a normal deployment you would have one secured SSID with 802.1x EAP PEAP and one open captive portal SSID using MAC authentication. The secure SSID is to authenticate corporate device like domain join computer, users that own AD credentials. It require a configuration on the devices to instruct them to push or ask a username password or even a computer account. The open SSID is to authenticate guest users on a captive portal using Mac authentication. You can use the VLAN enforcement to redirect then into a VLAN (Registration) that PacketFence manages 100% (most cases not routed, DHCP, DNS and gateway) or you can use the Web Authentication method if the equipment supports it. On that Guest portal, you can authenticate the guest with many different source of authentication, the most used are the Email registration and the SMS registration. You could mixte them up like Guest type (SMS + Email) + Login type (AD). You can’t mixte up the method of authentication on wireless. Secure SSID = WPA2 Enterprise 802.1x EAP PEAP (or EAP TLS) without captive portal (Auto-registration) Open SSID = Open no encryption RADIUS Mac authentication with a captive portal On the wired, you can have 802.1x then Mac authentication configured on a switch port. The Mac authentication configured that way will engage most likely 30 seconds after if the computer does not push a 802.1x identity. In that case that where you authenticate you guest wired. You should redirect them into the PF registration VLAN to show them the captive portal. In some cases, you want to have your Mac authentication users to be drop directly into a production VLAN without doing anything to give them directly access on the network for a roll out for example. I hope it makes it clearer. Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 9, 2021, at 8:17 AM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: But which source should the non-domain items use? vlan id2 is assigned to the registration role on the switch <pastedImage.png> <pastedImage.png> <pastedImage.png> <pastedImage.png> <pastedImage.png>[cid:b24c089c-56cd-4b89-b7b9-d877d4e1f20e] ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : vendredi, 9 avril 2021 13:53 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine Hello, Show me the conf/authentication.conf You are defiantly registering that device with source where the rule is not well configured. On each rule, you need to return a Access Duration / Unregistration date and a Role. The Role need to be configured with the VLAN ID on the switch config. Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 9, 2021, at 12:22 AM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: [mac:2c:44:fd:65:ab:27] handling radius autz request: from switch_ip => (192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => (00:16:b9:0b:37:0d), mac => [2c:44:fd:65:ab:27], port => 19, username => "2c44fd65ab27" (pf::radius::authorize) Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: [mac:2c:44:fd:65:ab:27] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: [mac:2c:44:fd:65:ab:27] Match rule Email-on-role (pf::access_filter::test) Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: [mac:2c:44:fd:65:ab:27] Found authentication source(s) : 'local,file1,MonDomaine' for realm 'null' (pf::config::util::filter_authentication_sources) Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) WARN: [mac:2c:44:fd:65:ab:27] No category computed for autoreg (pf::role::getNodeInfoForAutoReg) Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) WARN: [mac:2c:44:fd:65:ab:27] No role specified or found for pid 2c44fd65ab27 (MAC 2c:44:fd:65:ab:27); assume maximum number of registered nodes is reached (pf::node::is_max_reg_nodes_reached) Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) ERROR: [mac:2c:44:fd:65:ab:27] no role computed by any sources - registration of 2c:44:fd:65:ab:27 to 2c44fd65ab27 failed (pf::registration::setup_node_for_registration) Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) ERROR: [mac:2c:44:fd:65:ab:27] auto-registration of node failed no role computed by any sources (pf::radius::authorize) Apr 9 06:21:21 TPI-PF1 packetfence_httpd.webservices: httpd.webservices(1907) WARN: [mac:2c:44:fd:65:ab:27] Unable to pull accounting history for device 2c:44:fd:65:ab:27. The history set doesn't exist yet. (pf::accounting_events_history::latest_mac_history) ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : jeudi, 8 avril 2021 18:32 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine Unregister your device and give the output of: grep 2c:44:fd:65:ab:27 /usr/local/pf/logs/packetfence.log Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 8, 2021, at 12:03 PM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: So it's weird, because here are my logs when I connect an off-domain machine : Apr 8 18:02:06 TPI-PF1 auth[1993]: [mac:2c:44:fd:65:ab:27] Rejected user: 2c44fd65ab27 Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Rejected in post-auth: [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27) Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Incorrect login: [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27) Apr 8 18:02:06 TPI-PF1 auth[1993]: [mac:2c:44:fd:65:ab:27] Rejected user: 2c44fd65ab27 Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Rejected in post-auth: [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27) Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Incorrect login: [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27) And I get the message 'no role computed by any source However, if I create a 'null' source and create a profile with the filter "ethernet no-eap" and my null source, it works. ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : jeudi, 8 avril 2021 17:56 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine No, it’s a default behavior, they will be put in VLAN 2 if they are unregistered. Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 8, 2021, at 10:25 AM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: That's what I did, but do I have to create a specific source for that, and a profile ? ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : jeudi, 8 avril 2021 16:11:59 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine Ok so put VLAN 2 as the registration VLAN in your switch configuration under Configuration > Policies and Access Control > Switches > Switch IP > Roles > Registration -> 2 Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 8, 2021, at 9:48 AM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: Not really. I just want that devices who don't match with my AD source go to the VLAN2 and can do nothing. ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : jeudi, 8 avril 2021 15:29 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine Is this the registration VLAN ? Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 8, 2021, at 8:12 AM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: For the time being, VLAN2 simply serves as an isolation VLAN. The workstations should not access anything from this VLAN. ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : jeudi, 8 avril 2021 13:33 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine What’s the VLAN 2 and his purpose? Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 8, 2021, at 1:38 AM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: The devices are, for example, laptops that are not part of the domain. I want them to enter VLAN2, but I don't know them in advance. Where do I specify that I want them to be in VLAN2, without their login failing with my AD source? What I've tried to do so far is to create a second Authorization source, and a new profile that uses that source. I don't know if this is correct. <pastedImage.png> <pastedImage.png> Thanks ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : mercredi, 7 avril 2021 13:53:40 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine With Mac authentication, you will need to pre-import your Mac address if you know them, create a VLAN filter that automatically a MAC OUI for example or you redirect the on the captive portal to give them an option to register themselves. In your case, if you don’t know them, you return a VLAN 2 (don’t forget to return VLAN 2 in the registration role in the switch configuration) and they will never get a role and registered. They will end up having access on VLAN 2. What are those devices ? Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 7, 2021, at 1:25 AM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: Ok, I enabled mac authentication, but now here are my radius logs once I connect the node to the switch: Apr 7 07:19:51 TPI-PF1 auth[1944]: Adding client 192.168.137.200/32 Apr 7 07:19:51 TPI-PF1 auth[1944]: [mac:98:e7:f4:14:44:f0] Accepted user: and returned VLAN Apr 7 07:19:51 TPI-PF1 auth[1944]: (3879) Login OK: [98e7f41444f0] (from client 192.168.137.200/32 port 19 cli 98:e7:f4:14:44:f0) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] handling radius autz request: from switch_ip => (192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => (00:16:b9:0b:37:0d), mac => [98:e7:f4:14:44:f0], port => 19, username => "98e7f41444f0" (pf::radius::authorize) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Match rule Email-on-role (pf::access_filter::test) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Found authentication source(s) : 'local,file1,MonDomaine' for realm 'null' (pf::config::util::filter_authentication_sources) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: [mac:98:e7:f4:14:44:f0] No category computed for autoreg (pf::role::getNodeInfoForAutoReg) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Match rule Email-on-role (pf::access_filter::test) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.webservices: httpd.webservices(1790) WARN: [mac:98:e7:f4:14:44:f0] Unable to pull accounting history for device 98:e7:f4:14:44:f0. The history set doesn't exist yet. (pf::accounting_events_history::latest_mac_history) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Found authentication source(s) : 'local,file1,MonDomaine' for realm 'null' (pf::config::util::filter_authentication_sources) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: [mac:98:e7:f4:14:44:f0] Use of uninitialized value $role in concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. (pf::role::getRegisteredRole) Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: [mac:98:e7:f4:14:44:f0] Username was NOT defined or unable to match a role - returning node based role '' (pf::role::getRegisteredRole) I tried to create a new connection profile, but the result is the same. Any ideas? Thanks ________________________________ De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>> Envoyé : mardi, 6 avril 2021 19:48 À : Heusler Marie-Cécile Cc : packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Objet : Re: VLAN for rejected machine You can’t because if those not joined machines connect over 802.1x they will fail and stay there. What you want to do is 802.1x + Mac authentication bypass (MAB) on the switch port. A none corporate machine should do MAB and land on the captive portal and authenticate. If you want to skip that part, you can put VLAN ID 2 in the registration role on the switch so everyone that do Mac authentication would be redirected on VLAN 2. Thanks, Ludovic Zammit lzam...@inverse.ca<mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) and PacketFence (http://packetfence.org<http://packetfence.org/>) On Apr 6, 2021, at 1:33 PM, Heusler Marie-Cécile <marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote: Hello I have an authentication source that gives the role VLAN1 to the corporate machines. <pastedImage.png> <pastedImage.png> Now I want to give to the non-corporate machines the role VLAN2. However, I can't assign a role to a node that can't login to the source. Adding client 10.104.92.130/32 Apr 6 19:11:06 packetfence auth[19459]: (195) chrooted_mschap_machine: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' Apr 6 19:11:06 packetfence auth[19459]: (195) Login incorrect (chrooted_mschap_machine: Program returned code (1) and output 'Logon failure (0xc000006d)'): [host/client.tpi.local] (from client 10.104.92.130/32 port 21 cli 2c:44:fd:65:ab:27 via TLS tunnel) Apr 6 19:11:06 packetfence auth[19459]: [mac:2c:44:fd:65:ab:27] Rejected user: host/client.tpi.local Apr 6 19:11:06 packetfence auth[19459]: (196) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [host/client.tpi.local] (from client 10.104.92.130/32 port 21 cli 2c:44:fd:65:ab:27) A client that are not in the domain will have a login incorrect. But how can I say that every client out of the domain will move to the VLAN2 role ? Thank you for your reply.
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
