Great ! That solves all my problems regarding 802.1x authentication !
One thing is what you just explained doesn't really strike when you read
the official documentation. You should definitly put some notes about it !
If I sucessfully integrate packetfence with our network, with theses vlan
filters rules, I'll try to write stg about it if not done before.
Thank you very much.
I have another question on management interface, I'll open a new thread for
it.
2015-04-16 14:28 GMT+00:00 Fabrice DURAND <[email protected]>:
> Le 2015-04-16 09:50, Nicolas Gailly a écrit :
> > Ok that is exactly what happened when I just played with my new 802.1x
> > configuration.
> > A few more question pops in my ming though ...
> > If 802.1x + MAB is enabled :
> > - a new user use 802.1x to connect, register to the portal , use
> > the network and THEN disconnect.
> > - A malicious person spoof the client MAC address, and connects to
> > the same port without 802.1x ... and then get access to everything :/
> > (i tried with the same laptop, enabling 802.1x and then disabling)
> > any solution ?
> Yes of course we have full of solutions ;-)
>
> But let's imagine a workflow:
> 802.1x and MAB has been enabled.
>
> I am a staff with a laptop configured to do 802.1x, what i can do on
> packetfence is to autoregister the device and compute the role and
> access duration on the Active Directory.
> So if robert log in the laptop and use his username and password on the
> 802.1x connection and he is member of student group then the target role
> will be student.
> If i try to connect on the laptop and my groupmembership is staff then
> my role will be staff
> If .... gendarme .... gendarme role ....
>
> Now if i plug a laptop on the switch port and i have no supplicant then
> my connection will be mac-auth.
> By default if my status is reg then yes i will be forwarded to the prod
> vlan
> If i am unreg then i will hit the portal.
>
> So what you can do to prevent that is to write vlan filters that detect
> that you were autoreg and you try to connect with mac-auth, if it'true
> then unreg the device.
>
> Have a look at the file vlan_filters.conf and do something like that:
>
> [EthernetEAP]
> filter = connection_type
> operator = match
> value = Ethernet-EAP
>
> [1:EthernetEAP]
> scope = AutoRegister
> role = default
>
>
> [autoreg]
> filter = node_info
> attribute = autoreg
> operator = match
> value = yes
>
> [ WIRED_MAC_AUTH]
> filter = connection_type
> operator = match
> value = WIRED_MAC_AUTH
>
> [2:autoreg&WIRED_MAC_AUTH]
> scope = NormalVlan
> action = deregister_node
> action_param = mac = $mac
>
> [3:autoreg&WIRED_MAC_AUTH]
> scope = NormalVlan
> action = modify_node
> action_param = mac = $mac, autoreg = no
>
>
>
> > One solution I can see is to disable MAB (we don't have any IP phone
> > in the office anyway), but then every "guest" must have a 802.1x
> > supplicant device, and also to have 802.1x credentials (or
> > certificates if we use tls). Then he could register to the portal. We
> > could create guest credentials.
> > DId I get it right ?
> > My boss doesn't seem to think that every human friendly device
> > (laptop, mobile etc) are 802.1x, but as I search on the web, it seems
> > so, then the second solution would be viable, right ?
> So you must be behind each guest to configure the supplicant ?!
> > And is it necessary to authenticate two times when you are a new user
> > ? I mean by 802.1x AND by packetfence ? There should be possiblity to
> > combine 802.1x credentials to roles / user on packetfence, no ?
> yes you can do that.
> vlan filter above enabled autoregistration for EthernetEAP connection.
>
> In PacketFence you have to keep in mind that the portal profile is
> really important.
> Per example, you you want to have a specific portal profile for
> WIRED_MAC_AUTH connection then create a new portal profile and add a
> filter connection_type = WIRED_MAC_AUTH. So the mac auth connection will
> hit this portal.
>
> Now even if you enabled autoregistration , packetfence will try to match
> a portal profile to compute the role and the access duration, so for
> EthernetEAP connection, create a new portal profile with the filter
> connection_type = EthernetEAP and assign you ActiveDirectory
> authentication source on it.
>
>
> >
> > Next step : relying radius auth to packetfence + kerberos . (will
> > probably starts a new thread when question arises .. !!)
> >
> > Again, thank you very much for your time !
> >
> > ps : marvellous product so far, great job guys !
> > pps : c'est toujours un plaisir de voir un bon logiciel francophone ;)
> >
> >
> > 2015-04-16 15:03 GMT+02:00 Fabrice DURAND <[email protected]
> > <mailto:[email protected]>>:
> >
> > Hello
> > Le 2015-04-16 04:43, Nicolas Gailly a écrit :
> > > Hello
> > >
> > > I reply to the thread
> > > http://sourceforge.net/p/packetfence/mailman/message/33832156/
> > > I am so sorry I did not subscribe the mailing at the time so I
> could
> > > not respond to the thread ... (Yes people still don't know how
> > to use
> > > mailing list.. Now i do ;)
> > >
> > > If I understand you well, that means :
> > > - a NEW user will automatically try to connect with 802.1x (that
> > > implies that every device support 802.1x natively ?)
> > Yes of course
> > > - Packetfence / freeradius will see that the device a not
> registered
> > > and therefore, will OPEN the port and set it up in the
> > registration VLAN
> > > - the user can now register ...
> > >
> > It's not really true:
> > If you do mac-auth then what you said is true
> > If you do 802.1x authentication and if it failled then the
> > connection is
> > deny.
> >
> > > - a REGISTERED user will try to connect to 802.1x
> > > - he will gives its credentials
> > > - if they are OK, packetfence set them in the data VLAN
> > Yes
> > > - if they are NOT OK, packetfence will put them in the
> registration
> > > VLAN ?
> > >
> > No. the connection is deny.
> >
> > If you do 802.1x you must have a valid username and password to
> access
> > to the production network.
> >
> > What you can do is the following:
> > configure 802.1x (Cisco example) :
> >
> https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#8021x-with-mac-authentication-bypass-multidomain
> >
> > Then if you have a 802.1x supplicant and a valid username and
> password
> > then you will be allowed on the network.
> > If you don't have a supplicant then the connection will be
> > mac-auth and
> > you will hit the captive portal to register.
> >
> > > Thank you for your time , and sorry again for the new thread... I
> am
> > > registered now so it's good !
> > >
> > > Nicolas GAILLY
> > >
> > >
> > >
> >
>
> ------------------------------------------------------------------------------
> > > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> > > Develop your own process in accordance with the BPMN 2 standard
> > > Learn Process modeling best practices with Bonita BPM through
> > live exercises
> > > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> > event?utm_
> > >
> >
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> > >
> > >
> > > _______________________________________________
> > > PacketFence-users mailing list
> > > [email protected]
> > <mailto:[email protected]>
> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > Regards
> > Fabrice
> >
> >
> > --
> > Fabrice Durand
> > [email protected] <mailto:[email protected]> :: +1.514.447.4918
> > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
> > <http://www.inverse.ca>
> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> > PacketFence (http://packetfence.org)
> >
> >
> >
>
> ------------------------------------------------------------------------------
> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> > Develop your own process in accordance with the BPMN 2 standard
> > Learn Process modeling best practices with Bonita BPM through live
> > exercises
> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> > event?utm_
> >
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> > Develop your own process in accordance with the BPMN 2 standard
> > Learn Process modeling best practices with Bonita BPM through live
> exercises
> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> Regards
> Fabrice
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
