Ok that is exactly what happened when I just played with my new 802.1x
configuration.
A few more question pops in my ming though ...
If 802.1x + MAB is enabled :
- a new user use 802.1x to connect, register to the portal , use the
network and THEN disconnect.
- A malicious person spoof the client MAC address, and connects to the
same port without 802.1x ... and then get access to everything :/ (i tried
with the same laptop, enabling 802.1x and then disabling)
any solution ?
One solution I can see is to disable MAB (we don't have any IP phone in the
office anyway), but then every "guest" must have a 802.1x supplicant
device, and also to have 802.1x credentials (or certificates if we use
tls). Then he could register to the portal. We could create guest
credentials.
DId I get it right ?
My boss doesn't seem to think that every human friendly device (laptop,
mobile etc) are 802.1x, but as I search on the web, it seems so, then the
second solution would be viable, right ?
And is it necessary to authenticate two times when you are a new user ? I
mean by 802.1x AND by packetfence ? There should be possiblity to combine
802.1x credentials to roles / user on packetfence, no ?
Next step : relying radius auth to packetfence + kerberos . (will probably
starts a new thread when question arises .. !!)
Again, thank you very much for your time !
ps : marvellous product so far, great job guys !
pps : c'est toujours un plaisir de voir un bon logiciel francophone ;)
2015-04-16 15:03 GMT+02:00 Fabrice DURAND <[email protected]>:
> Hello
> Le 2015-04-16 04:43, Nicolas Gailly a écrit :
> > Hello
> >
> > I reply to the thread
> > http://sourceforge.net/p/packetfence/mailman/message/33832156/
> > I am so sorry I did not subscribe the mailing at the time so I could
> > not respond to the thread ... (Yes people still don't know how to use
> > mailing list.. Now i do ;)
> >
> > If I understand you well, that means :
> > - a NEW user will automatically try to connect with 802.1x (that
> > implies that every device support 802.1x natively ?)
> Yes of course
> > - Packetfence / freeradius will see that the device a not registered
> > and therefore, will OPEN the port and set it up in the registration VLAN
> > - the user can now register ...
> >
> It's not really true:
> If you do mac-auth then what you said is true
> If you do 802.1x authentication and if it failled then the connection is
> deny.
>
> > - a REGISTERED user will try to connect to 802.1x
> > - he will gives its credentials
> > - if they are OK, packetfence set them in the data VLAN
> Yes
> > - if they are NOT OK, packetfence will put them in the registration
> > VLAN ?
> >
> No. the connection is deny.
>
> If you do 802.1x you must have a valid username and password to access
> to the production network.
>
> What you can do is the following:
> configure 802.1x (Cisco example) :
>
> https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#8021x-with-mac-authentication-bypass-multidomain
>
> Then if you have a 802.1x supplicant and a valid username and password
> then you will be allowed on the network.
> If you don't have a supplicant then the connection will be mac-auth and
> you will hit the captive portal to register.
>
> > Thank you for your time , and sorry again for the new thread... I am
> > registered now so it's good !
> >
> > Nicolas GAILLY
> >
> >
> >
> ------------------------------------------------------------------------------
> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> > Develop your own process in accordance with the BPMN 2 standard
> > Learn Process modeling best practices with Bonita BPM through live
> exercises
> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> Regards
> Fabrice
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
