Le 2015-04-16 09:50, Nicolas Gailly a écrit : > Ok that is exactly what happened when I just played with my new 802.1x > configuration. > A few more question pops in my ming though ... > If 802.1x + MAB is enabled : > - a new user use 802.1x to connect, register to the portal , use > the network and THEN disconnect. > - A malicious person spoof the client MAC address, and connects to > the same port without 802.1x ... and then get access to everything :/ > (i tried with the same laptop, enabling 802.1x and then disabling) > any solution ? Yes of course we have full of solutions ;-)
But let's imagine a workflow: 802.1x and MAB has been enabled. I am a staff with a laptop configured to do 802.1x, what i can do on packetfence is to autoregister the device and compute the role and access duration on the Active Directory. So if robert log in the laptop and use his username and password on the 802.1x connection and he is member of student group then the target role will be student. If i try to connect on the laptop and my groupmembership is staff then my role will be staff If .... gendarme .... gendarme role .... Now if i plug a laptop on the switch port and i have no supplicant then my connection will be mac-auth. By default if my status is reg then yes i will be forwarded to the prod vlan If i am unreg then i will hit the portal. So what you can do to prevent that is to write vlan filters that detect that you were autoreg and you try to connect with mac-auth, if it'true then unreg the device. Have a look at the file vlan_filters.conf and do something like that: [EthernetEAP] filter = connection_type operator = match value = Ethernet-EAP [1:EthernetEAP] scope = AutoRegister role = default [autoreg] filter = node_info attribute = autoreg operator = match value = yes [ WIRED_MAC_AUTH] filter = connection_type operator = match value = WIRED_MAC_AUTH [2:autoreg&WIRED_MAC_AUTH] scope = NormalVlan action = deregister_node action_param = mac = $mac [3:autoreg&WIRED_MAC_AUTH] scope = NormalVlan action = modify_node action_param = mac = $mac, autoreg = no > One solution I can see is to disable MAB (we don't have any IP phone > in the office anyway), but then every "guest" must have a 802.1x > supplicant device, and also to have 802.1x credentials (or > certificates if we use tls). Then he could register to the portal. We > could create guest credentials. > DId I get it right ? > My boss doesn't seem to think that every human friendly device > (laptop, mobile etc) are 802.1x, but as I search on the web, it seems > so, then the second solution would be viable, right ? So you must be behind each guest to configure the supplicant ?! > And is it necessary to authenticate two times when you are a new user > ? I mean by 802.1x AND by packetfence ? There should be possiblity to > combine 802.1x credentials to roles / user on packetfence, no ? yes you can do that. vlan filter above enabled autoregistration for EthernetEAP connection. In PacketFence you have to keep in mind that the portal profile is really important. Per example, you you want to have a specific portal profile for WIRED_MAC_AUTH connection then create a new portal profile and add a filter connection_type = WIRED_MAC_AUTH. So the mac auth connection will hit this portal. Now even if you enabled autoregistration , packetfence will try to match a portal profile to compute the role and the access duration, so for EthernetEAP connection, create a new portal profile with the filter connection_type = EthernetEAP and assign you ActiveDirectory authentication source on it. > > Next step : relying radius auth to packetfence + kerberos . (will > probably starts a new thread when question arises .. !!) > > Again, thank you very much for your time ! > > ps : marvellous product so far, great job guys ! > pps : c'est toujours un plaisir de voir un bon logiciel francophone ;) > > > 2015-04-16 15:03 GMT+02:00 Fabrice DURAND <[email protected] > <mailto:[email protected]>>: > > Hello > Le 2015-04-16 04:43, Nicolas Gailly a écrit : > > Hello > > > > I reply to the thread > > http://sourceforge.net/p/packetfence/mailman/message/33832156/ > > I am so sorry I did not subscribe the mailing at the time so I could > > not respond to the thread ... (Yes people still don't know how > to use > > mailing list.. Now i do ;) > > > > If I understand you well, that means : > > - a NEW user will automatically try to connect with 802.1x (that > > implies that every device support 802.1x natively ?) > Yes of course > > - Packetfence / freeradius will see that the device a not registered > > and therefore, will OPEN the port and set it up in the > registration VLAN > > - the user can now register ... > > > It's not really true: > If you do mac-auth then what you said is true > If you do 802.1x authentication and if it failled then the > connection is > deny. > > > - a REGISTERED user will try to connect to 802.1x > > - he will gives its credentials > > - if they are OK, packetfence set them in the data VLAN > Yes > > - if they are NOT OK, packetfence will put them in the registration > > VLAN ? > > > No. the connection is deny. > > If you do 802.1x you must have a valid username and password to access > to the production network. > > What you can do is the following: > configure 802.1x (Cisco example) : > > https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#8021x-with-mac-authentication-bypass-multidomain > > Then if you have a 802.1x supplicant and a valid username and password > then you will be allowed on the network. > If you don't have a supplicant then the connection will be > mac-auth and > you will hit the captive portal to register. > > > Thank you for your time , and sorry again for the new thread... I am > > registered now so it's good ! > > > > Nicolas GAILLY > > > > > > > > ------------------------------------------------------------------------------ > > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > > Develop your own process in accordance with the BPMN 2 standard > > Learn Process modeling best practices with Bonita BPM through > live exercises > > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > > > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > > > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > Regards > Fabrice > > > -- > Fabrice Durand > [email protected] <mailto:[email protected]> :: +1.514.447.4918 > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca > <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live > exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users Regards Fabrice -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
