Le 2015-04-16 14:38, Nicolas Gailly a écrit : > Great ! That solves all my problems regarding 802.1x authentication ! > One thing is what you just explained doesn't really strike when you > read the official documentation. You should definitly put some notes > about it ! You know vlan filters are really advanced stuff and try to explain all you can do whith that will be huge to document. There are already examples in the vlan_filters.conf file and it replace the old > If I sucessfully integrate packetfence with our network, with theses > vlan filters rules, I'll try to write stg about it if not done before. > Thank you very much. > I have another question on management interface, I'll open a new > thread for it. > > > 2015-04-16 14:28 GMT+00:00 Fabrice DURAND <[email protected] > <mailto:[email protected]>>: > > Le 2015-04-16 09:50, Nicolas Gailly a écrit : > > Ok that is exactly what happened when I just played with my new > 802.1x > > configuration. > > A few more question pops in my ming though ... > > If 802.1x + MAB is enabled : > > - a new user use 802.1x to connect, register to the portal , use > > the network and THEN disconnect. > > - A malicious person spoof the client MAC address, and > connects to > > the same port without 802.1x ... and then get access to > everything :/ > > (i tried with the same laptop, enabling 802.1x and then disabling) > > any solution ? > Yes of course we have full of solutions ;-) > > But let's imagine a workflow: > 802.1x and MAB has been enabled. > > I am a staff with a laptop configured to do 802.1x, what i can do on > packetfence is to autoregister the device and compute the role and > access duration on the Active Directory. > So if robert log in the laptop and use his username and password > on the > 802.1x connection and he is member of student group then the > target role > will be student. > If i try to connect on the laptop and my groupmembership is staff then > my role will be staff > If .... gendarme .... gendarme role .... > > Now if i plug a laptop on the switch port and i have no supplicant > then > my connection will be mac-auth. > By default if my status is reg then yes i will be forwarded to the > prod vlan > If i am unreg then i will hit the portal. > > So what you can do to prevent that is to write vlan filters that > detect > that you were autoreg and you try to connect with mac-auth, if it'true > then unreg the device. > > Have a look at the file vlan_filters.conf and do something like that: > > [EthernetEAP] > filter = connection_type > operator = match > value = Ethernet-EAP > > [1:EthernetEAP] > scope = AutoRegister > role = default > > > [autoreg] > filter = node_info > attribute = autoreg > operator = match > value = yes > > [ WIRED_MAC_AUTH] > filter = connection_type > operator = match > value = WIRED_MAC_AUTH > > [2:autoreg&WIRED_MAC_AUTH] > scope = NormalVlan > action = deregister_node > action_param = mac = $mac > > [3:autoreg&WIRED_MAC_AUTH] > scope = NormalVlan > action = modify_node > action_param = mac = $mac, autoreg = no > > > > > One solution I can see is to disable MAB (we don't have any IP phone > > in the office anyway), but then every "guest" must have a 802.1x > > supplicant device, and also to have 802.1x credentials (or > > certificates if we use tls). Then he could register to the > portal. We > > could create guest credentials. > > DId I get it right ? > > My boss doesn't seem to think that every human friendly device > > (laptop, mobile etc) are 802.1x, but as I search on the web, it > seems > > so, then the second solution would be viable, right ? > So you must be behind each guest to configure the supplicant ?! > > And is it necessary to authenticate two times when you are a new user > > ? I mean by 802.1x AND by packetfence ? There should be > possiblity to > > combine 802.1x credentials to roles / user on packetfence, no ? > yes you can do that. > vlan filter above enabled autoregistration for EthernetEAP connection. > > In PacketFence you have to keep in mind that the portal profile is > really important. > Per example, you you want to have a specific portal profile for > WIRED_MAC_AUTH connection then create a new portal profile and add a > filter connection_type = WIRED_MAC_AUTH. So the mac auth > connection will > hit this portal. > > Now even if you enabled autoregistration , packetfence will try to > match > a portal profile to compute the role and the access duration, so for > EthernetEAP connection, create a new portal profile with the filter > connection_type = EthernetEAP and assign you ActiveDirectory > authentication source on it. > > > > > > Next step : relying radius auth to packetfence + kerberos . (will > > probably starts a new thread when question arises .. !!) > > > > Again, thank you very much for your time ! > > > > ps : marvellous product so far, great job guys ! > > pps : c'est toujours un plaisir de voir un bon logiciel > francophone ;) > > > > > > 2015-04-16 15:03 GMT+02:00 Fabrice DURAND <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > Hello > > Le 2015-04-16 04:43, Nicolas Gailly a écrit : > > > Hello > > > > > > I reply to the thread > > > http://sourceforge.net/p/packetfence/mailman/message/33832156/ > > > I am so sorry I did not subscribe the mailing at the time > so I could > > > not respond to the thread ... (Yes people still don't know how > > to use > > > mailing list.. Now i do ;) > > > > > > If I understand you well, that means : > > > - a NEW user will automatically try to connect with > 802.1x (that > > > implies that every device support 802.1x natively ?) > > Yes of course > > > - Packetfence / freeradius will see that the device a not > registered > > > and therefore, will OPEN the port and set it up in the > > registration VLAN > > > - the user can now register ... > > > > > It's not really true: > > If you do mac-auth then what you said is true > > If you do 802.1x authentication and if it failled then the > > connection is > > deny. > > > > > - a REGISTERED user will try to connect to 802.1x > > > - he will gives its credentials > > > - if they are OK, packetfence set them in the data VLAN > > Yes > > > - if they are NOT OK, packetfence will put them in the > registration > > > VLAN ? > > > > > No. the connection is deny. > > > > If you do 802.1x you must have a valid username and password > to access > > to the production network. > > > > What you can do is the following: > > configure 802.1x (Cisco example) : > > > > https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#8021x-with-mac-authentication-bypass-multidomain > > > > Then if you have a 802.1x supplicant and a valid username > and password > > then you will be allowed on the network. > > If you don't have a supplicant then the connection will be > > mac-auth and > > you will hit the captive portal to register. > > > > > Thank you for your time , and sorry again for the new > thread... I am > > > registered now so it's good ! > > > > > > Nicolas GAILLY > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > > > Develop your own process in accordance with the BPMN 2 > standard > > > Learn Process modeling best practices with Bonita BPM through > > live exercises > > > > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > > event?utm_ > > > > > > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > > > > > > > > _______________________________________________ > > > PacketFence-users mailing list > > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > Regards > > Fabrice > > > > > > -- > > Fabrice Durand > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> :: > +1.514.447.4918 <tel:%2B1.514.447.4918> > > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca > <http://www.inverse.ca> > > <http://www.inverse.ca> > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > > PacketFence (http://packetfence.org) > > > > > > > > ------------------------------------------------------------------------------ > > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > > Develop your own process in accordance with the BPMN 2 standard > > Learn Process modeling best practices with Bonita BPM > through live > > exercises > > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > > event?utm_ > > > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > > > > > > ------------------------------------------------------------------------------ > > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > > Develop your own process in accordance with the BPMN 2 standard > > Learn Process modeling best practices with Bonita BPM through > live exercises > > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > > > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > > > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > Regards > Fabrice > > > -- > Fabrice Durand > [email protected] <mailto:[email protected]> :: +1.514.447.4918 > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca > <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live > exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users
Regards Fabrice -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
