Hi Fabrice, Having nothing work if nothing matches is my goal, since I don’t want to allow PEAP-MSCHAPv2 authentication on some SSIDs, but need AD as an authentication source for admin. Although writing that I remember that admin rules are different to authentication rules. So what I really want is for successful auth that doesn’t match a connection profile to not work.
The example I have is I’m testing EAP-TLS on Windows which works when configured with a wifi profile from Intune, but when I joined manually, it used machine account (password) auth and got stuck in the registration VLAN, which was very confusing until I realised what happened. The only connection profile that matched that SSID also required Connection Sub Type EAP-TLS, so it fell back to the default connection profile. Nov 15 15:06:07 kerr pfqueue[2158733]: pfqueue(2158733) INFO: [mac:6c:a1:00:4e:15:8b] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Nov 15 15:06:11 kerr packetfence_httpd.aaa[2066451]: httpd.aaa(1480) INFO: [mac:7c:b2:7d:48:c2:c7] handling radius autz request: from switch_ip => (10.20.0.1), connection_type => Wireless-802.11-EAP,switch_mac => (e8:ed:d6:1d:b6:e0), mac => [7c:b2:7d:48:c2:c7], port => external, username => "host/ITE22001.ad.ccgs.wa.edu.au", ssid => CCGS Students2 (pf::radius::authorize) Nov 15 15:06:11 kerr packetfence_httpd.aaa[2066451]: httpd.aaa(1480) INFO: [mac:7c:b2:7d:48:c2:c7] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Nov 15 15:06:11 kerr packetfence_httpd.aaa[2066451]: httpd.aaa(1480) INFO: [mac:7c:b2:7d:48:c2:c7] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) I guess the more general question is what determines the lookup order for a connection attempt against the connection profiles? Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: Fabrice Durand <oeufd...@gmail.com> Sent: Wednesday, 16 November 2022 9:47 PM To: packetfence-users@lists.sourceforge.net Cc: James Andrewartha <jandrewar...@ccgs.wa.edu.au> Subject: Re: [PacketFence-users] Disable default connection profile Hello James, trying to remove the default profile is not a good idea since if no profile matches then nothing will work. The default is the last resort one if no one matches , so be sure to have one who matches your filter (like the ssid) and keep the default one. Regards Fabrice Le mer. 16 nov. 2022 à 08:30, James Andrewartha via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> a écrit : Hi, I'm trying to understand connection profiles, and so wanted to disable the default so it's not matched, or at least not matched first. But I can't disable it or reorder it. I tried this at the top of profiles.conf but that just disabled all the other profiles instead: [default] status=disabled Should I just be changing it to suit my own needs? Or could I delete profiles.conf.defaults? Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users