With Mac authentication, you will need to pre-import your Mac address if you know them, create a VLAN filter that automatically a MAC OUI for example or you redirect the on the captive portal to give them an option to register themselves.
In your case, if you don’t know them, you return a VLAN 2 (don’t forget to return VLAN 2 in the registration role in the switch configuration) and they will never get a role and registered. They will end up having access on VLAN 2. What are those devices ? Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Apr 7, 2021, at 1:25 AM, Heusler Marie-Cécile > <[email protected]> wrote: > > Ok, I enabled mac authentication, but now here are my radius logs once I > connect the node to the switch: > > > Apr 7 07:19:51 TPI-PF1 auth[1944]: Adding client 192.168.137.200/32 > Apr 7 07:19:51 TPI-PF1 auth[1944]: [mac:98:e7:f4:14:44:f0] Accepted user: and > returned VLAN > Apr 7 07:19:51 TPI-PF1 auth[1944]: (3879) Login OK: [98e7f41444f0] (from > client 192.168.137.200/32 port 19 cli 98:e7:f4:14:44:f0) > > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: > [mac:98:e7:f4:14:44:f0] handling radius autz request: from switch_ip => > (192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => > (00:16:b9:0b:37:0d), mac => [98:e7:f4:14:44:f0], port => 19, username => > "98e7f41444f0" (pf::radius::authorize) > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: > [mac:98:e7:f4:14:44:f0] Instantiate profile default > (pf::Connection::ProfileFactory::_from_profile) > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: > [mac:98:e7:f4:14:44:f0] Match rule Email-on-role (pf::access_filter::test) > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: > [mac:98:e7:f4:14:44:f0] Found authentication source(s) : > 'local,file1,MonDomaine' for realm 'null' > (pf::config::util::filter_authentication_sources) > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: > [mac:98:e7:f4:14:44:f0] No category computed for autoreg > (pf::role::getNodeInfoForAutoReg) > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: > [mac:98:e7:f4:14:44:f0] Match rule Email-on-role (pf::access_filter::test) > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.webservices: httpd.webservices(1790) > WARN: [mac:98:e7:f4:14:44:f0] Unable to pull accounting history for device > 98:e7:f4:14:44:f0. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: > [mac:98:e7:f4:14:44:f0] Found authentication source(s) : > 'local,file1,MonDomaine' for realm 'null' > (pf::config::util::filter_authentication_sources) > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: > [mac:98:e7:f4:14:44:f0] Connection type is MAC-AUTH. Getting role from > node_info (pf::role::getRegisteredRole) > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: > [mac:98:e7:f4:14:44:f0] Use of uninitialized value $role in concatenation (.) > or string at /usr/local/pf/lib/pf/role.pm line 489. > (pf::role::getRegisteredRole) > Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: > [mac:98:e7:f4:14:44:f0] Username was NOT defined or unable to match a role - > returning node based role '' (pf::role::getRegisteredRole) > > > > I tried to create a new connection profile, but the result is the same. > > Any ideas? > > Thanks > > > De : Ludovic Zammit <[email protected]> > Envoyé : mardi, 6 avril 2021 19:48 > À : Heusler Marie-Cécile > Cc : [email protected] > Objet : Re: VLAN for rejected machine > > You can’t because if those not joined machines connect over 802.1x they will > fail and stay there. > > What you want to do is 802.1x + Mac authentication bypass (MAB) on the switch > port. > > A none corporate machine should do MAB and land on the captive portal and > authenticate. If you want to skip that part, you can put VLAN ID 2 in the > registration role on the switch so everyone that do Mac authentication would > be redirected on VLAN 2. > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <https://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > >> On Apr 6, 2021, at 1:33 PM, Heusler Marie-Cécile >> <[email protected] <mailto:[email protected]>> >> wrote: >> >> Hello >> >> I have an authentication source that gives the role VLAN1 to the corporate >> machines. >> >> >> <pastedImage.png> >> >> <pastedImage.png> >> >> >> Now I want to give to the non-corporate machines the role VLAN2. However, I >> can't assign a role to a node that can't login to the source. >> >> >> Adding client 10.104.92.130/32 >> Apr 6 19:11:06 packetfence auth[19459]: (195) chrooted_mschap_machine: >> ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' >> Apr 6 19:11:06 packetfence auth[19459]: (195) Login incorrect >> (chrooted_mschap_machine: Program returned code (1) and output 'Logon >> failure (0xc000006d)'): [host/client.tpi.local] (from client >> 10.104.92.130/32 port 21 cli 2c:44:fd:65:ab:27 via TLS tunnel) >> Apr 6 19:11:06 packetfence auth[19459]: [mac:2c:44:fd:65:ab:27] Rejected >> user: host/client.tpi.local >> Apr 6 19:11:06 packetfence auth[19459]: (196) Login incorrect (eap_peap: The >> users session was previously rejected: returning reject (again.)): >> [host/client.tpi.local] (from client 10.104.92.130/32 port 21 cli >> 2c:44:fd:65:ab:27) >> >> >> A client that are not in the domain will have a login incorrect. But how can >> I say that every client out of the domain will move to the VLAN2 role ? >> >> >> Thank you for your reply.
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
