Hey guys,
I have a case running with Inverse, but just wanted to check if anyone else has
gotten around this problem.
We have started using USB-C docks for some of our Lenovo ThinkPads and are
getting into issues based on the fact that the docks have their own ethernet
card, and thus their own MAC address.
When a computer hooks up, the computer sees the Thunderbolt docks ethernet card
and tries to authenticate. As I have not registered the ethernet card of the
dock, it fails to register and gets the registration VLAN.
If I register the dock MAC address, but leave it with no role, then when the
computer connects it will successfully authenticate using Ethernet-EAP for the
computer object, or by EAPTLS for the user object. Now Packetfence 6.5.1 will
register the role on the MAC address, so the MAC address not inherits the role
that is calculated based on EAP. If I then take another computer, that is not
in the domain and try to log on using a built in local admin, not an AD
account, then the computer gets online on the secure VLAN calculated before,
because it now uses MAC Authentication Bypass - which is related to the MAC
address.
The problem here is that the MAC address does not identify this single PC, it
could be aby compatible PC that connects to this dock and they would get the
secure LAN role....
We do rely on MAB for other dumb devices, but they do not get access to our
secure LAN.
How have you guys gotten around this?
Br,
Jes
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users