Hello Ludovic, Thanks for pointing in the right direction . The unregistration was the hint , because I had turned on autoregistration in the default profile that would catch in that situation . After turning off autoreg the mab failed and unregistered too because there was no connection profile that could take this node to auth . But : your Vlan Filter you pointed too is the filter I would like to use additionally because if there is somehow a situation where I had a successful 802.1X before and then there is an incoming mab ( for example a case behind a usb-c Dock) , im in the safe zone . Therefore i extended your mentioned already active example by my needs and I would expect not only to unregister and set autoregister to off , but to reject the auth completely . (After changing the role to reject)
To make it triggering I also enabled autoreg for the default profile (otherwise the upper case would match and the vlan filter would not trigger anyway?) Somehow this filter does not get triggered in my situation : 802.1 auth with reject and unregistered and autoreg set to no . Then mab will Start . Because of the fact , that autoregister is turned on , my initial behaviour from the thread will match : mab will take the role from the 802.1x . Do you have an idea how to go into specific debugging for the vlan filter as it does not get triggered? In packetfence.log I also can’t See that it had been triggered . Thanks :) ________________________________ Von: Zammit, Ludovic <luza...@akamai.com> Gesendet: Freitag, März 25, 2022 5:00 PM An: packetfence-users@lists.sourceforge.net Cc: Dennis Miara Betreff: Re: [PacketFence-users] When Source returns match, a role is assigned to its node category <- Problem! Hello Dennis, We have a default similar rule for Wireless where if you have been seen doing a valid 802.1x Authentication and that same Mac address is doing a Mac authentication, the node will be automatically unregistered. You can clone that rule and apply it to the wired by changing the connection type. [pf_deauth_from_wireless_secure] run_actions=enabled status=enabled description=Prevent an autoregistered 802.1x user to switch to an Open SSID and keep the same level of access condition=connection_type == "Wireless-802.11-NoEAP" && node_info.last_connection_type == "Wireless-802.11-EAP" && node_info.status == "reg" && node_info.autoreg == "yes" scopes = RegisteredRole action.0=modify_node: mac, $mac, status = unreg, autoreg = no role = registration Thanks, Ludovic Zammit Product Support Engineer Principal [https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png] Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: [https://www.akamai.com/us/en/multimedia/images/custom/community.jpg] <https://community.akamai.com> [https://www.akamai.com/us/en/multimedia/images/custom/rss.png] <http://blogs.akamai.com> [https://www.akamai.com/us/en/multimedia/images/custom/twitter.png] <https://twitter.com/akamai> [https://www.akamai.com/us/en/multimedia/images/custom/fb.png] <http://www.facebook.com/AkamaiTechnologies> [https://www.akamai.com/us/en/multimedia/images/custom/in.png] <http://www.linkedin.com/company/akamai-technologies> [https://www.akamai.com/us/en/multimedia/images/custom/youtube.png] <http://www.youtube.com/user/akamaitechnologies?feature=results_main> On Mar 25, 2022, at 10:34 AM, Dennis Miara via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: Hello! Currently we have switch auth order 802.1X and MAB. It means that when a 802.1x auth fails , MAB will be used. Everything is okay at this point. I have the following case: A User Alice gets a valid 802.1X and the calculated role admin is written into the Node Category. Then User Bob will take the client and perform an invalid 802.1X auth. Normally I would expect, that the role admin will be deleted from the node. Switch Triggers MAB. Ih that case the role admin from Alice authentication will be taken into account, although the node category or at least role (I don’t get the difference correctly) should be cleared. I already have a vlan filter configured that sets REJECT category on each node in registration process. In MAB via VLAN Filter the reject will be overwritten by the specific role. When the next authentication fails, the role will be unset and in whole the node will be set to its category (reject). Everything is fine. But as soon an authentication is successful done by a source, this category will be overwritten and that finally breaks my mechanism. Thanks in advance, Dennis _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!CXYvCQPWZHIwwntr0jzizd9IyTgpqq9ocmHtgyKUrfmwLTHEyEeDoPqQDqnFijrj$
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users