Re: [PacketFence-users] secure AP Uplink Ports

Thu, 23 Mar 2023 07:54:03 -0700

Let me know if you some more input. I can provide screenshots and other stuff, that's not a problem :)

Am 23.03.2023 08:48 schrieb "Mudrich, J." <j.mudr...@altmark-klinikum.de>:

Hello Michael,

 

THANK YOU! That sounds promising. Now I just have to understand. :D

I’ll get back to you if I have further questions.

 

Kind regards

Johannes

 

 

 



Johannes Mudrich
Mitarbeiter
IT

Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen

Tel.:  03907 791229
Fax.:  03907 791248
Mail:  j.mudr...@altmark-klinikum.de

Von: Michael Weber [mailto:michael.we...@my-chi.de]
Gesendet: Donnerstag, 23. März 2023 07:53
An: packetfence-users@lists.sourceforge.net
Cc: Mudrich, J. <j.mudr...@altmark-klinikum.de>
Betreff: AW: [PacketFence-users] secure AP Uplink Ports

 

Hello Johannes Mudrich

 

Perhaps this idea is what you are looking for 😊

 

to secure our APs we do the following:

  1. MAC authentication for our APs
  2. Create Radius Filter Engine that matches your AP/requirements and Modify the Reply:

Answers:

Reply:Egress-VLAN-Name - 1VLXXX-VLAN1

Reply:Egress-VLAN-Name - 1VLXXX-VLAN2

Reply:HP-Port-MA-Port-Mode - 1

 

Scopes

returnRadiusAccessAccept

 

This is working with our HP Switches and should work with every AP (if your Radius Filter is set correct 😉 )

Idea: detect the AP in the Port, authenticate it based on your rules and modify the the radius answer to set the allowed tagged VLANs and set the Port from user based authentication to port based (HP-Port-MA-Port-Mode / HPE-Port-MA-Port-Mode). That way the AP will “unlock” the switchport as long as a link is active.

“Generally, the “Port Based” method supports one 802.1X-authenticated client on a port, which opens the port to an unlimited number of clients.”

 

If someone unpluggs the AP the Port switches back to user based, and no “unsecure” devices are allowed. Plug in the AP, the normal Authentication is done and based on the RADIUS Filter configured before the RADIUS response will contain the “command” to switch back to port based authentication.

 

WiFi Clients are automatically allowed on the switchport. You must configure 802.1x/MAC auth on the WiFi Controller/AP to authentication the WiFi clients.

 

I am only using HPe but other vendors should be able to switch the 802.1x Authentication to Port-based, too.

 

 

Best  Regards

Michael Weber

 

Von: Mudrich, J. via PacketFence-users <packetfence-users@lists.sourceforge.net>
Gesendet: Mittwoch, 22. März 2023 07:26
An: packetfence-users@lists.sourceforge.net
Cc: Mudrich, J. <j.mudr...@altmark-klinikum.de>
Betreff: Re: [PacketFence-users] secure AP Uplink Ports

 

Hello Mirko,

 

the Problem with MAC based authentication is, that the port will be blocked as soon as a new MAC is registered on the port. So this doesn’t work for access point uplink ports. Especially when providing a guest SSID.

On our switches port-security only works with SNMP-traps which I didn’t want to setup since we already configured everything for RADIUS. Also it didn’t work with PF for some reason.

 

kind regards

Johannes

 

Von: sgiops sgiops via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net]
Gesendet: Dienstag, 21. März 2023 15:29
An: packetfence-users@lists.sourceforge.net
Cc: sgiops sgiops <thesgi...@gmail.com>
Betreff: Re: [PacketFence-users] secure AP Uplink Ports

 

Hello Johannes,

 

Maybe you are describing the "port-security" functionality (this is usually a feature provided by the switch OS). Or you can use mac address based authentication by manually registering the node (AP). 

 

Regards

 

Mirko

 

Il giorno mar 21 mar 2023 alle ore 15:19 Mudrich, J. via PacketFence-users <packetfence-users@lists.sourceforge.net> ha scritto:

Hello everyone,

 

I have another question regarding port security: Is there any way I can secure a port on an edge switch where an access point is connected?

I’m thinking of a scenario where someone takes a ladder, pulls the cable from an access point and connects his own device.

Maybe some mechanism like: If port comes up without APs MAC, close the port.

 

Thanks

Johannes

 

Johannes Mudrich
Mitarbeiter
IT

Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen

Tel.:

 03907 791229

Fax.:

 03907 791248

Mail:

 j.mudr...@altmark-klinikum.de

 

 

Salus Altmark Holding gGmbH
Tel.: +49 39325700
Sitz der Gesellschaft:
Seepark 5 | 39116 Magdeburg
www.salusaltmarkholding.de

    

Registergericht: AG Stendal: HRB 112594
Geschäftsführer: Jürgen Richter
Aufsichtsratsvorsitz: Wolfgang Beck
Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch gespeichert werden. Nähere Informationen: www.salusaltmarkholding.de/datenschutz

Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an.
Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf.



Johannes Mudrich
Mitarbeiter
IT

Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen

Tel.:

 03907 791229

Fax.:

 03907 791248

Mail:

 j.mudr...@altmark-klinikum.de

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url="">

 

 

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to