Hi Fabrice,
Having nothing work if nothing matches is my goal, since I don’t want to allow
PEAP-MSCHAPv2 authentication on some SSIDs, but need AD as an authentication
source for admin. Although writing that I remember that admin rules are
different to authentication rules. So what I really want is for successful auth
that doesn’t match a connection profile to not work.
The example I have is I’m testing EAP-TLS on Windows which works when
configured with a wifi profile from Intune, but when I joined manually, it used
machine account (password) auth and got stuck in the registration VLAN, which
was very confusing until I realised what happened. The only connection profile
that matched that SSID also required Connection Sub Type EAP-TLS, so it fell
back to the default connection profile.
Nov 15 15:06:07 kerr pfqueue[2158733]: pfqueue(2158733) INFO:
[mac:6c:a1:00:4e:15:8b] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Nov 15 15:06:11 kerr packetfence_httpd.aaa[2066451]: httpd.aaa(1480) INFO:
[mac:7c:b2:7d:48:c2:c7] handling radius autz request: from switch_ip =>
(10.20.0.1), connection_type => Wireless-802.11-EAP,switch_mac =>
(e8:ed:d6:1d:b6:e0), mac => [7c:b2:7d:48:c2:c7], port => external, username =>
"host/ITE22001.ad.ccgs.wa.edu.au", ssid => CCGS Students2
(pf::radius::authorize)
Nov 15 15:06:11 kerr packetfence_httpd.aaa[2066451]: httpd.aaa(1480) INFO:
[mac:7c:b2:7d:48:c2:c7] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Nov 15 15:06:11 kerr packetfence_httpd.aaa[2066451]: httpd.aaa(1480) INFO:
[mac:7c:b2:7d:48:c2:c7] is of status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
I guess the more general question is what determines the lookup order for a
connection attempt against the connection profiles?
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: Fabrice Durand
Sent: Wednesday, 16 November 2022 9:47 PM
To: packetfence-users@lists.sourceforge.net
Cc: James Andrewartha
Subject: Re: [PacketFence-users] Disable default connection profile
Hello James,
trying to remove the default profile is not a good idea since if no profile
matches then nothing will work.
The default is the last resort one if no one matches , so be sure to have one
who matches your filter (like the ssid) and keep the default one.
Regards
Fabrice
Le mer. 16 nov. 2022 à 08:30, James Andrewartha via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>>
a écrit :
Hi,
I'm trying to understand connection profiles, and so wanted to disable
the default so it's not matched, or at least not matched first. But I
can't disable it or reorder it. I tried this at the top of profiles.conf
but that just disabled all the other profiles instead:
[default]
status=disabled
Should I just be changing it to suit my own needs? Or could I delete
profiles.conf.defaults?
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users