Hey Ludovic, more troubleshooting more Results: Currently ive made the following observation:
* User with wrong credentials -> unregistered in EAP Auth -> MAB also will fail because node is unregistered and stays unregistered because of no autoregistration in MAB Profile * Backend Fail (AD Not available)-> Same behaviour like wrong credentials * In case I have an assignment of REJECTED Role in AD Source or afterwards in VLAN Filter: 2x REJECTED EAP + 2x REJECTED MAB (everything ok, my VLAN Filter seems to work). * Autoreg and registered To achieve REJECTED in VLAN Filter ive set the following two vlan Filters:# [MSChapV2 Device Validation-copy]•- intended to only allow specific users to MSCHAP because normally we want EAP-TLS scopes=RegisteredRole condition=connection_type == "Ethernet-EAP" && connection_sub_type == "MS-CHAP-V2" && username != "cnorris" && username != "asdf" && username != "dmiara" description=MSChapV2 Device Validation status=enabled run_actions=enabled top_op=and role=REJECT action.1=trigger_security_event: mac, $mac, tid, unauthdevice, type, custom action.0=modify_node: mac, $mac, status = unreg, autoreg = no [pf_deauth_from_wireless_secure]•- reject each MAB , that is not already registered with svc-phones and svc-printers. Autoregistration happens in another VLAN Filter. Autoregistration is turned of for MAB condition=connection_type == "Ethernet-NoEAP" && node_info.category != "svc-phones" && node_info.category != "svc-printers" role=REJECT top_op=and— [SVC Phone Devices]• this works around the reject each MAB rule. Specific Macs will be registered and not rejected. role=svc-phones condition=mac == "00:04:13:4d:d1:c6" status=enabled description=Macs in this list will be registered as printer top_op=and scopes=RegisteredRole,AutoRegister run_actions=enabled action.0=modify_node: mac, $mac, status = reg, autoreg = yes However there is one final point missing, althought its now working as expected: action.0=modify_node: mac, $mac, status = reg, autoreg = yes does not deregister nodes and does not set autoreg to no . this does apply to [pf_deauth_from_wireless_secure] and [MSChapV2 Device Validation-copy] Do you have any idea, why this does not apply? If this action would apply, we would have the same behaviour in each case. In theory I was able to achieve the unregistration by untriggering an additional security event to unregister, but I don’t think that this is best practice here. Thanks, Dennis From: Dennis Miara via PacketFence-users <packetfence-users@lists.sourceforge.net> Reply to: "packetfence-users@lists.sourceforge.net" <packetfence-users@lists.sourceforge.net> Date: Saturday, 26. March 2022 at 14:24 To: "Zammit, Ludovic" <luza...@akamai.com>, "packetfence-users@lists.sourceforge.net" <packetfence-users@lists.sourceforge.net> Cc: Dennis Miara <dmi...@vmray.com> Subject: Re: [PacketFence-users] When Source returns match, a role is assigned to its node category <- Problem! Hello Ludovic, Thanks for pointing in the right direction . The unregistration was the hint , because I had turned on autoregistration in the default profile that would catch in that situation . After turning off autoreg the mab failed and unregistered too because there was no connection profile that could take this node to auth . But : your Vlan Filter you pointed too is the filter I would like to use additionally because if there is somehow a situation where I had a successful 802.1X before and then there is an incoming mab ( for example a case behind a usb-c Dock) , im in the safe zone . Therefore i extended your mentioned already active example by my needs and I would expect not only to unregister and set autoregister to off , but to reject the auth completely . (After changing the role to reject) To make it triggering I also enabled autoreg for the default profile (otherwise the upper case would match and the vlan filter would not trigger anyway?) Somehow this filter does not get triggered in my situation : 802.1 auth with reject and unregistered and autoreg set to no . Then mab will Start . Because of the fact , that autoregister is turned on , my initial behaviour from the thread will match : mab will take the role from the 802.1x . Do you have an idea how to go into specific debugging for the vlan filter as it does not get triggered? In packetfence.log I also can’t See that it had been triggered . Thanks :) ________________________________ Von: Zammit, Ludovic <luza...@akamai.com> Gesendet: Freitag, März 25, 2022 5:00 PM An: packetfence-users@lists.sourceforge.net Cc: Dennis Miara Betreff: Re: [PacketFence-users] When Source returns match, a role is assigned to its node category <- Problem! Hello Dennis, We have a default similar rule for Wireless where if you have been seen doing a valid 802.1x Authentication and that same Mac address is doing a Mac authentication, the node will be automatically unregistered. You can clone that rule and apply it to the wired by changing the connection type. [pf_deauth_from_wireless_secure] run_actions=enabled status=enabled description=Prevent an autoregistered 802.1x user to switch to an Open SSID and keep the same level of access condition=connection_type == "Wireless-802.11-NoEAP" && node_info.last_connection_type == "Wireless-802.11-EAP" && node_info.status == "reg" && node_info.autoreg == "yes" scopes = RegisteredRole action.0=modify_node: mac, $mac, status = unreg, autoreg = no role = registration Thanks, Ludovic Zammit Product Support Engineer Principal [Image removed by sender.] Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: [Image removed by sender.]<https://community.akamai.com/>[Image removed by sender.]<http://blogs.akamai.com/>[Image removed by sender.]<https://twitter.com/akamai>[Image removed by sender.]<http://www.facebook.com/AkamaiTechnologies>[Image removed by sender.]<http://www.linkedin.com/company/akamai-technologies>[Image removed by sender.]<http://www.youtube.com/user/akamaitechnologies?feature=results_main> On Mar 25, 2022, at 10:34 AM, Dennis Miara via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> wrote: Hello! Currently we have switch auth order 802.1X and MAB. It means that when a 802.1x auth fails , MAB will be used. Everything is okay at this point. I have the following case: A User Alice gets a valid 802.1X and the calculated role admin is written into the Node Category. Then User Bob will take the client and perform an invalid 802.1X auth. Normally I would expect, that the role admin will be deleted from the node. Switch Triggers MAB. Ih that case the role admin from Alice authentication will be taken into account, although the node category or at least role (I don’t get the difference correctly) should be cleared. I already have a vlan filter configured that sets REJECT category on each node in registration process. In MAB via VLAN Filter the reject will be overwritten by the specific role. When the next authentication fails, the role will be unset and in whole the node will be set to its category (reject). Everything is fine. But as soon an authentication is successful done by a source, this category will be overwritten and that finally breaks my mechanism. Thanks in advance, Dennis _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!CXYvCQPWZHIwwntr0jzizd9IyTgpqq9ocmHtgyKUrfmwLTHEyEeDoPqQDqnFijrj$<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!CXYvCQPWZHIwwntr0jzizd9IyTgpqq9ocmHtgyKUrfmwLTHEyEeDoPqQDqnFijrj$>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users