Re: [PacketFence-users] Radius Filter - Block Mac Auth for certain roles

[Durand fabrice via PacketFence-users]

Hello Robert,

to answer this question, i need the packetfence.log

Regards

Fabrice


Le 21-02-10 à 20 h 19, Robert McNutt a écrit :


I actually set this up this way also but the vlan filter still returns 
a radius accept to the switch even though it’s sending a REJECT. Is 
there any way for this method to not send the radius accept but 
instead a radius Reject?






On Wed, Feb 10, 2021 at 7:47 PM Durand fabrice via PacketFence-users 
> wrote:


Hello Robert,

it's more a vlan filter that you have to do.

[RejectUnauthorizedRoleMAB]
run_actions=enabled
status=enabled
top_op=and
description=RejectUnauthorizedRoleMAB
scopes=RegisteredRole
role=REJECT
condition=connection_type == "Ethernet-NoEAP" &&
!((node_info.category == "gaming" || node_info.category == "guest"))

Regards

Fabrice


Le 21-02-09 à 17 h 00, Robert McNutt via PacketFence-users a écrit :

Still struggling with this logic which I think should be simple.

We're trying to setup a radius filter to only allow MAB for
devices with a specific role... for example IP phones and
Printers. We have an issue where Macintoshes and Some PC's just
default to MAB and they get access to their trusted VLAN. This
seem to defeat the purpose of NAC but it seems like there should
be a way to only allow 802.1X for some devices and only MAB for
others.

Has anyone else run into this or have any ideas to not fall back
to MAB for some devices?
Robert McNutt


On Thu, Apr 23, 2020 at 7:55 AM Ludovic Zammit
mailto:lzam...@inverse.ca>> wrote:

Hello Robert,

A fix has been done yesterday regarding the connection type:


https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0

Apply the maintenance branche and check if it fixes it.

/usr/local/pf/addons/pf-maint.pl 

Thanks,

Ludovic Zammit
lzam...@inverse.ca    ::  +1.514.447.4918 (x145) 
::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
PacketFence (http://packetfence.org)






On Apr 22, 2020, at 3:58 PM, Robert McNutt via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

I'm trying to set a radius filter to block mac auth for any
devices assigned to roles that should only auth via PEAP or
EAP-TLS...

For example, if a port has a phone and computer plugged in,
the phone will do mac auth but the computer should never get
a radius accept for mac auth... whats happening by default
is if a computer fails dot1x auth it then falls back to mac
auth and PF accepts it because the node was registered...
this is what I'm trying to prevent...

I set up a radius filter as such:

connection_type == "Ethernet-NoEAP" && (node_info.category
== "CORP-LAN" || node_info.category == "ADMIN-LAN")

It never matches... But if I change the logic to be NOT
Ethernet-EAP, everything matches, EAP and not EAP... it
seems as if the connection_type isn't actually being read by
the filter parsing... Am I missing something?


Robert McNutt
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net  

https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Robert McNutt
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter - Block Mac Auth for certain roles

[Robert McNutt via PacketFence-users]

I actually set this up this way also but the vlan filter still returns a
radius accept to the switch even though it’s sending a REJECT. Is there any
way for this method to not send the radius accept but instead a radius
Reject?





On Wed, Feb 10, 2021 at 7:47 PM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Robert,
>
> it's more a vlan filter that you have to do.
>
> [RejectUnauthorizedRoleMAB]
> run_actions=enabled
> status=enabled
> top_op=and
> description=RejectUnauthorizedRoleMAB
> scopes=RegisteredRole
> role=REJECT
> condition=connection_type == "Ethernet-NoEAP" && !((node_info.category ==
> "gaming" || node_info.category == "guest"))
>
> Regards
>
> Fabrice
>
>
> Le 21-02-09 à 17 h 00, Robert McNutt via PacketFence-users a écrit :
>
> Still struggling with this logic which I think should be simple.
>
> We're trying to setup a radius filter to only allow MAB for devices with a
> specific role... for example IP phones and Printers. We have an issue where
> Macintoshes and Some PC's just default to MAB and they get access to their
> trusted VLAN. This seem to defeat the purpose of NAC but it seems like
> there should be a way to only allow 802.1X for some devices and only MAB
> for others.
>
> Has anyone else run into this or have any ideas to not fall back to MAB
> for some devices?
> Robert McNutt
>
>
> On Thu, Apr 23, 2020 at 7:55 AM Ludovic Zammit  wrote:
>
>> Hello Robert,
>>
>> A fix has been done yesterday regarding the connection type:
>>
>>
>> https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0
>>
>> Apply the maintenance branche and check if it fixes it.
>>
>> /usr/local/pf/addons/pf-maint.pl
>>
>> Thanks,
>>
>> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>>
>>
>>
>>
>> On Apr 22, 2020, at 3:58 PM, Robert McNutt via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> I'm trying to set a radius filter to block mac auth for any devices
>> assigned to roles that should only auth via PEAP or EAP-TLS...
>>
>> For example, if a port has a phone and computer plugged in, the phone
>> will do mac auth but the computer should never get a radius accept for mac
>> auth... whats happening by default is if a computer fails dot1x auth it
>> then falls back to mac auth and PF accepts it because the node was
>> registered... this is what I'm trying to prevent...
>>
>> I set up a radius filter as such:
>>
>> connection_type == "Ethernet-NoEAP" && (node_info.category == "CORP-LAN"
>> || node_info.category == "ADMIN-LAN")
>>
>> It never matches... But if I change the logic to be NOT Ethernet-EAP,
>> everything matches, EAP and not EAP... it seems as if the connection_type
>> isn't actually being read by the filter parsing... Am I missing something?
>>
>>
>> Robert McNutt
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
-- 
Robert McNutt
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter - Block Mac Auth for certain roles

[Durand fabrice via PacketFence-users]

Hello Robert,

it's more a vlan filter that you have to do.

[RejectUnauthorizedRoleMAB]
run_actions=enabled
status=enabled
top_op=and
description=RejectUnauthorizedRoleMAB
scopes=RegisteredRole
role=REJECT
condition=connection_type == "Ethernet-NoEAP" && !((node_info.category 
== "gaming" || node_info.category == "guest"))


Regards

Fabrice


Le 21-02-09 à 17 h 00, Robert McNutt via PacketFence-users a écrit :

Still struggling with this logic which I think should be simple.

We're trying to setup a radius filter to only allow MAB for devices 
with a specific role... for example IP phones and Printers. We have an 
issue where Macintoshes and Some PC's just default to MAB and they get 
access to their trusted VLAN. This seem to defeat the purpose of NAC 
but it seems like there should be a way to only allow 802.1X for some 
devices and only MAB for others.


Has anyone else run into this or have any ideas to not fall back to 
MAB for some devices?

Robert McNutt


On Thu, Apr 23, 2020 at 7:55 AM Ludovic Zammit > wrote:


Hello Robert,

A fix has been done yesterday regarding the connection type:


https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0

Apply the maintenance branche and check if it fixes it.

/usr/local/pf/addons/pf-maint.pl 

Thanks,

Ludovic Zammit
lzam...@inverse.ca    ::  +1.514.447.4918 (x145) 
::www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)






On Apr 22, 2020, at 3:58 PM, Robert McNutt via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

I'm trying to set a radius filter to block mac auth for any
devices assigned to roles that should only auth via PEAP or
EAP-TLS...

For example, if a port has a phone and computer plugged in, the
phone will do mac auth but the computer should never get a radius
accept for mac auth... whats happening by default is if a
computer fails dot1x auth it then falls back to mac auth and PF
accepts it because the node was registered... this is what I'm
trying to prevent...

I set up a radius filter as such:

connection_type == "Ethernet-NoEAP" && (node_info.category ==
"CORP-LAN" || node_info.category == "ADMIN-LAN")

It never matches... But if I change the logic to be NOT
Ethernet-EAP, everything matches, EAP and not EAP... it seems as
if the connection_type isn't actually being read by the filter
parsing... Am I missing something?


Robert McNutt
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter - Block Mac Auth for certain roles

[Robert McNutt via PacketFence-users]

Still struggling with this logic which I think should be simple.

We're trying to setup a radius filter to only allow MAB for devices with a
specific role... for example IP phones and Printers. We have an issue where
Macintoshes and Some PC's just default to MAB and they get access to their
trusted VLAN. This seem to defeat the purpose of NAC but it seems like
there should be a way to only allow 802.1X for some devices and only MAB
for others.

Has anyone else run into this or have any ideas to not fall back to MAB for
some devices?
Robert McNutt


On Thu, Apr 23, 2020 at 7:55 AM Ludovic Zammit  wrote:

> Hello Robert,
>
> A fix has been done yesterday regarding the connection type:
>
>
> https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0
>
> Apply the maintenance branche and check if it fixes it.
>
> /usr/local/pf/addons/pf-maint.pl
>
> Thanks,
>
>
> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
>
>
> On Apr 22, 2020, at 3:58 PM, Robert McNutt via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> I'm trying to set a radius filter to block mac auth for any devices
> assigned to roles that should only auth via PEAP or EAP-TLS...
>
> For example, if a port has a phone and computer plugged in, the phone will
> do mac auth but the computer should never get a radius accept for mac
> auth... whats happening by default is if a computer fails dot1x auth it
> then falls back to mac auth and PF accepts it because the node was
> registered... this is what I'm trying to prevent...
>
> I set up a radius filter as such:
>
> connection_type == "Ethernet-NoEAP" && (node_info.category == "CORP-LAN"
> || node_info.category == "ADMIN-LAN")
>
> It never matches... But if I change the logic to be NOT Ethernet-EAP,
> everything matches, EAP and not EAP... it seems as if the connection_type
> isn't actually being read by the filter parsing... Am I missing something?
>
>
> Robert McNutt
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter - Block Mac Auth for certain roles

[Ludovic Zammit via PacketFence-users]

Hello Robert,

A fix has been done yesterday regarding the connection type:

https://github.com/inverse-inc/packetfence/commit/176c6d6df606cff86a83c9cf93a571c44dd52da0
 


Apply the maintenance branche and check if it fixes it.

/usr/local/pf/addons/pf-maint.pl

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Apr 22, 2020, at 3:58 PM, Robert McNutt via PacketFence-users 
>  wrote:
> 
> I'm trying to set a radius filter to block mac auth for any devices assigned 
> to roles that should only auth via PEAP or EAP-TLS...
> 
> For example, if a port has a phone and computer plugged in, the phone will do 
> mac auth but the computer should never get a radius accept for mac auth... 
> whats happening by default is if a computer fails dot1x auth it then falls 
> back to mac auth and PF accepts it because the node was registered... this is 
> what I'm trying to prevent...
> 
> I set up a radius filter as such:
> 
> connection_type == "Ethernet-NoEAP" && (node_info.category == "CORP-LAN" || 
> node_info.category == "ADMIN-LAN")
> 
> It never matches... But if I change the logic to be NOT Ethernet-EAP, 
> everything matches, EAP and not EAP... it seems as if the connection_type 
> isn't actually being read by the filter parsing... Am I missing something?
> 
> 
> Robert McNutt
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter - Block Mac Auth for certain roles

[Durand fabrice via PacketFence-users]

Hello Robert,

can you paste the packetfence.log when the device authenticate and also 
paste the radius filter.


Regards

Fabrice


Le 20-04-22 à 15 h 58, Robert McNutt via PacketFence-users a écrit :
I'm trying to set a radius filter to block mac auth for any devices 
assigned to roles that should only auth via PEAP or EAP-TLS...


For example, if a port has a phone and computer plugged in, the phone 
will do mac auth but the computer should never get a radius accept for 
mac auth... whats happening by default is if a computer fails dot1x 
auth it then falls back to mac auth and PF accepts it because the node 
was registered... this is what I'm trying to prevent...


I set up a radius filter as such:

connection_type == "Ethernet-NoEAP" && (node_info.category == 
"CORP-LAN" || node_info.category == "ADMIN-LAN")


It never matches... But if I change the logic to be NOT Ethernet-EAP, 
everything matches, EAP and not EAP... it seems as if the 
connection_type isn't actually being read by the filter parsing... Am 
I missing something?



Robert McNutt


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter

[John Sayce via PacketFence-users]

Okay, Thanks.  I've got it working now.  I thought the problem was the same in 
a real world test, however the problem on site appeared to be one of our access 
points being difficult when receiving updates.

John



-Original Message-
From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: 18 February 2018 18:45
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Radius Filter

Hello John,

it can't work with portal preview since the filter use the radius request.

It must be a real test.

Regards

Fabrice



Le 2018-02-16 à 05:37, John Sayce via PacketFence-users a écrit :
> So I'm working remotely at the moment.  The floating address I have 
> configured is 00:11:22:33:44:55 and I'm using the portal preview feature, so 
> if that's not going to work I understand, although I did also test it on 
> site.  I can't see anything mentioning the vlan filter in the log.  It's as 
> follows:
>
> Feb 16 09:52:24 httpd.portal(58307) WARN: [mac:unknown] Unable to 
> match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 16 09:52:24 
> httpd.portal(58307) INFO: [mac:unknown] Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:24 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] 
> Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 
> 16 09:52:24 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
> Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:24 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
> Instantiate profile Internal 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:25 httpd.portal(58301) WARN: [mac:unknown] Unable to 
> match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 16 09:52:25 
> httpd.portal(58301) INFO: [mac:unknown] Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:25 httpd.portal(58301) WARN: [mac:00:11:22:33:44:55] 
> Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 
> 16 09:52:25 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] 
> Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:25 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] 
> Instantiate profile Internal 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:25 httpd.portal(58300) WARN: [mac:unknown] Unable to 
> match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 16 09:52:25 
> httpd.portal(58300) INFO: [mac:unknown] Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:25 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] 
> Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 
> 16 09:52:25 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] 
> Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:25 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] 
> Instantiate profile Internal 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:32 httpd.portal(58307) WARN: [mac:unknown] Unable to 
> match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 16 09:52:32 
> httpd.portal(58307) INFO: [mac:unknown] Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:32 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] 
> Unable to match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac) Feb 
> 16 09:52:32 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
> Instantiate profile default 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:32 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
> Instantiate profile Internal 
> (pf::Portal::ProfileFactory::_from_profile)
> Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
> Authenticating user using sources : ASD 
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::L
> ogin::authenticate) Feb 16 09:52:33 httpd.portal(58307) INFO: 
> [mac:00:11:22:33:44:55] [ASD] Authentication successful for jsayce 
> (pf::Authentication::Source::LDAPSource::authenticate)
> Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
> Authentication successful for 'jsayce' in source ASD (AD) 
> (pf::authentication::authenticate)
> Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User 
> jsayce has authenticated on the portal. (Class::MOP::Class:::after) 
> Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] 
> Found source ASD in session. (Class::MOP::Class:::around) Feb 16 
> 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found 
> source ASD

Re: [PacketFence-users] Radius Filter

[Durand fabrice via PacketFence-users]

d rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Using sources 
ASD for matching (pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Matched rule 
(AuthAD) in source ASD, returning actions. (pf::Authentication::Source::match)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] The DAY is 
today or before today. Setting date to next year (pf::config::try {...} )
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Calling match 
with empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Using sources 
ASD for matching (pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Matched rule 
(AuthAD) in source ASD, returning actions. (pf::Authentication::Source::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58301) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] No 
provisioner found for 00:11:22:33:44:55. Continuing. 
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] violation 
133 force-closed for 00:11:22:33:44:55 
(pf::violation::violation_force_close)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Releasing 
device (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] User default 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] re-evaluating 
access (manage_register called) (pf::enforcement::reevaluate_access)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Can't 
re-evaluate access because no open locationlog entry was found 
(pf::enforcement::reevaluate_access)

-Original Message-----
From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: 16 February 2018 03:08
To: John Sayce via PacketFence-users 
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Radius Filter

You suppose to see in the packetfence.log file if 

Re: [PacketFence-users] Radius Filter

[John Sayce via PacketFence-users]

ch)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Matched rule 
(AuthAD) in source ASD, returning actions. (pf::Authentication::Source::match)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] The DAY is 
today or before today. Setting date to next year (pf::config::try {...} )
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58307) WARN: [mac:00:11:22:33:44:55] Calling match 
with empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Using sources 
ASD for matching (pf::authentication::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Matched rule 
(AuthAD) in source ASD, returning actions. (pf::Authentication::Source::match)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58307) INFO: [mac:00:11:22:33:44:55] Found source 
ASD in session. (Class::MOP::Class:::around)
Feb 16 09:52:33 httpd.portal(58301) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] No 
provisioner found for 00:11:22:33:44:55. Continuing. 
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] User jsayce 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] violation 
133 force-closed for 00:11:22:33:44:55 
(pf::violation::violation_force_close)
Feb 16 09:52:33 httpd.portal(58301) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:unknown] Unable to match MAC 
address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:unknown] Instantiate profile 
default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile Internal (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Releasing 
device (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] User default 
has authenticated on the portal. (Class::MOP::Class:::after)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Unable to 
match MAC address to IP '10.8.5.8' (pf::iplog::ip2mac)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Feb 16 09:52:33 httpd.portal(58300) INFO: [mac:00:11:22:33:44:55] re-evaluating 
access (manage_register called) (pf::enforcement::reevaluate_access)
Feb 16 09:52:33 httpd.portal(58300) WARN: [mac:00:11:22:33:44:55] Can't 
re-evaluate access because no open locationlog entry was found 
(pf::enforcement::reevaluate_access)

-Original Message-
From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: 16 February 2018 03:08
To: John Sayce via PacketFence-users 
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Radius Filter

You suppose to see in the packetfence.log file if the filter match, do you see 
it ?


Le 2018-02-09 à 11:28, John Sayce via PacketFence-users a écrit :
> I've given it a go but it doesn't seem to apply.
>
> I simplified it further to:
&

Re: [PacketFence-users] Radius Filter

[Durand fabrice via PacketFence-users]

You suppose to see in the packetfence.log file if the filter match, do 
you see it ?



Le 2018-02-09 à 11:28, John Sayce via PacketFence-users a écrit :

I've given it a go but it doesn't seem to apply.

I simplified it further to:

[mac]
filter = node_info.mac
operator = match
value = 00:11:22:33:44:55

[2:mac]
scope = RegisteredRole
role = REJECT

This didn't seem to apply either.  Am I missing something obvious?   Is there a 
way to debug this?

John

-Original Message-
From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: 06 February 2018 14:06
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] Radius Filter

Hello John,

something like that in the vlan filters should work:


[ssid]
filter = ssid
operator = is
value = OPENSSID

[role]
filter = node_info.category
operator = match
value = SOMEROLE

[1:ssid&role]
scope = RegisteredRole
role = REJECT


Regards

Fabrice



Le 2018-02-06 à 08:46, John Sayce via PacketFence-users a écrit :

I'm looking for a little guidance.  I've got two SSIDs, one open and
one secured.  They both use mac auth against packetfence.  I don't
want the clients that are registered for certain roles to connect to
the unsecured SSID.  Can I use a radius filter (or possibly a vlan
filter) to match the SSID and role to reject the clients?  Something
like

[ssid]
filter = ssid
operator = is
value = OPENSSID

[role]
filter = user_role
operator = is
value = SOMEROLE

[1:ssid&role]
scope = returnRadiusAccessAccept
merge_answer = no
answer1 =  RLM_MODULE_REJECT?

Not really sure how to reject the radius request.

Thanks
John Sayce

--
 Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca Inverse inc. 
:: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter

[John Sayce via PacketFence-users]

I've given it a go but it doesn't seem to apply.

I simplified it further to:

[mac]
filter = node_info.mac
operator = match
value = 00:11:22:33:44:55

[2:mac]
scope = RegisteredRole
role = REJECT

This didn't seem to apply either.  Am I missing something obvious?   Is there a 
way to debug this?

John

-Original Message-
From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: 06 February 2018 14:06
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand 
Subject: Re: [PacketFence-users] Radius Filter

Hello John,

something like that in the vlan filters should work:


[ssid]
filter = ssid
operator = is
value = OPENSSID

[role]
filter = node_info.category
operator = match
value = SOMEROLE

[1:ssid&role]
scope = RegisteredRole
role = REJECT


Regards

Fabrice



Le 2018-02-06 à 08:46, John Sayce via PacketFence-users a écrit :
> I'm looking for a little guidance.  I've got two SSIDs, one open and 
> one secured.  They both use mac auth against packetfence.  I don't 
> want the clients that are registered for certain roles to connect to 
> the unsecured SSID.  Can I use a radius filter (or possibly a vlan 
> filter) to match the SSID and role to reject the clients?  Something 
> like
>
> [ssid]
> filter = ssid
> operator = is
> value = OPENSSID
>
> [role]
> filter = user_role
> operator = is
> value = SOMEROLE
>
> [1:ssid&role]
> scope = returnRadiusAccessAccept
> merge_answer = no
> answer1 =  RLM_MODULE_REJECT?
>
> Not really sure how to reject the radius request.
>
> Thanks
> John Sayce
>
> --
>  Check out the vibrant tech community on one of the world's 
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca Inverse inc. 
:: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Radius Filter

[Fabrice Durand via PacketFence-users]

Hello John,

something like that in the vlan filters should work:


[ssid]
filter = ssid
operator = is
value = OPENSSID

[role]
filter = node_info.category
operator = match
value = SOMEROLE

[1:ssid&role]
scope = RegisteredRole
role = REJECT


Regards

Fabrice



Le 2018-02-06 à 08:46, John Sayce via PacketFence-users a écrit :
> I'm looking for a little guidance.  I've got two SSIDs, one open and one 
> secured.  They both use mac auth against packetfence.  I don't want the 
> clients that are registered for certain roles to connect to the unsecured 
> SSID.  Can I use a radius filter (or possibly a vlan filter) to match the 
> SSID and role to reject the clients?  Something like
>
> [ssid]
> filter = ssid
> operator = is
> value = OPENSSID
>
> [role]
> filter = user_role
> operator = is
> value = SOMEROLE
>
> [1:ssid&role]
> scope = returnRadiusAccessAccept
> merge_answer = no
> answer1 =  RLM_MODULE_REJECT?
>
> Not really sure how to reject the radius request.
>
> Thanks
> John Sayce
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users