Hello Dennis, We have a default similar rule for Wireless where if you have been seen doing a valid 802.1x Authentication and that same Mac address is doing a Mac authentication, the node will be automatically unregistered.
You can clone that rule and apply it to the wired by changing the connection type. [pf_deauth_from_wireless_secure] run_actions=enabled status=enabled description=Prevent an autoregistered 802.1x user to switch to an Open SSID and keep the same level of access condition=connection_type == "Wireless-802.11-NoEAP" && node_info.last_connection_type == "Wireless-802.11-EAP" && node_info.status == "reg" && node_info.autoreg == "yes" scopes = RegisteredRole action.0=modify_node: mac, $mac, status = unreg, autoreg = no role = registration Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Mar 25, 2022, at 10:34 AM, Dennis Miara via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hello! > Currently we have switch auth order 802.1X and MAB. It means that when a > 802.1x auth fails , MAB will be used. Everything is okay at this point. > > I have the following case: > A User Alice gets a valid 802.1X and the calculated role admin is written > into the Node Category. > Then User Bob will take the client and perform an invalid 802.1X auth. > Normally I would expect, that the role admin will be deleted from the node. > Switch Triggers MAB. Ih that case the role admin from Alice authentication > will be taken into account, although the node category or at least role (I > don’t get the difference correctly) should be cleared. > > I already have a vlan filter configured that sets REJECT category on each > node in registration process. In MAB via VLAN Filter the reject will be > overwritten by the specific role. When the next authentication fails, the > role will be unset and in whole the node will be set to its category > (reject). Everything is fine. But as soon an authentication is successful > done by a source, this category will be overwritten and that finally breaks > my mechanism. > > Thanks in advance, > Dennis > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!CXYvCQPWZHIwwntr0jzizd9IyTgpqq9ocmHtgyKUrfmwLTHEyEeDoPqQDqnFijrj$ > > <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!CXYvCQPWZHIwwntr0jzizd9IyTgpqq9ocmHtgyKUrfmwLTHEyEeDoPqQDqnFijrj$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users