The sources are displayed on the captive portal with the registration VLAN.
No registration VLAN, no captive portal, no guest registration. If you want your guests to get connected on the network, you will need to import all the Mac address in PacketFence using a CSV import under Node. Yes they will use Mac authentication. Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Apr 9, 2021, at 8:43 AM, Heusler Marie-Cécile > <[email protected]> wrote: > > > Thank you very much for these explanations. > > As I understand, I still need to create an authentication source for guests > using mac authentication, they are not automatically put in the registration > VLAN if they are not authenticated with 802.1X > > > De : Ludovic Zammit <[email protected]> > Envoyé : vendredi, 9 avril 2021 14:34 > À : Heusler Marie-Cécile > Cc : [email protected] > Objet : Re: VLAN for rejected machine > > Ok, let me show a basic workflow for Wireless and it work almost the same for > wired authentication: > > Here is the diagram showing the interaction between PacketFence, the > endpoint, the AP and the WLAN controller: > > <Mail Attachment.png> > > User initiates association to WLAN AP and transmits MAC address. If user > accesses network via a registered device in PacketFence go to 8 > The WLAN controller transmits MAC address via RADIUS to the PacketFence > server to authenticate/authorize that MAC address on the AP > PacketFence server conducts address audit in its database. If it does not > recognize the MAC address go to 4. If it does go to 8. > PacketFence server directs WLAN controller via RADIUS (RFC2868 attributes) to > put the device in an "unauthenticated role“ (set of ACLs that would > limit/redirect the user to the PacketFence captive portal for registration, > or we can also use a registration VLAN in which PacketFence does DNS > blackholing and is the DHCP server) > The user's device issues a DHCP/DNS request to PacketFence (which is a > DHCP/DNS server on this VLAN or for this role) which sends the IP and DNS > information. At this point, ACLs are limiting/redirecting the user to the > PacketFence's captive portal for authentication. PacketFence fingerprints > the device (user-agent attributes, DHCP information & MAC address patterns) > to which it can take various actions including: keep device on registration > portal, direct to alternate captive portal, auto-register the device, > auto-block the device, etc. If the device remains on the registration > portal the user registers by providing the information (username/password, > cell phone number, etc.). At this time PacketFence could also require the > device to go through a posture assessment (using Nessus, OpenVAS, etc.) > If authentication is required (username/password) through a login form, those > credentials are validated via the Directory server (or any other > authentication sources - like LDAP, SQL, RADIUS, SMS, Facebook, Google+, > etc.) which provides user attributes to PacketFence which creates user+device > policy profile in its database. > PacketFence performs a Change of Authorization (RFC3576) on the controller > and the user must be re-authenticated/reauthorized, so we go back to 1 > PacketFence server directs WLAN controller via RADIUS to put the device in an > "authenticated role“, or in the "normal” VLAN > > Then in a normal deployment you would have one secured SSID with 802.1x EAP > PEAP and one open captive portal SSID using MAC authentication. > > The secure SSID is to authenticate corporate device like domain join > computer, users that own AD credentials. It require a configuration on the > devices to instruct them to push or ask a username password or even a > computer account. > > The open SSID is to authenticate guest users on a captive portal using Mac > authentication. You can use the VLAN enforcement to redirect then into a VLAN > (Registration) that PacketFence manages 100% (most cases not routed, DHCP, > DNS and gateway) or you can use the Web Authentication method if the > equipment supports it. On that Guest portal, you can authenticate the guest > with many different source of authentication, the most used are the Email > registration and the SMS registration. You could mixte them up like Guest > type (SMS + Email) + Login type (AD). > > You can’t mixte up the method of authentication on wireless. > > Secure SSID = WPA2 Enterprise 802.1x EAP PEAP (or EAP TLS) without captive > portal (Auto-registration) > Open SSID = Open no encryption RADIUS Mac authentication with a captive portal > > On the wired, you can have 802.1x then Mac authentication configured on a > switch port. The Mac authentication configured that way will engage most > likely 30 seconds after if the computer does not push a 802.1x identity. In > that case that where you authenticate you guest wired. You should redirect > them into the PF registration VLAN to show them the captive portal. In some > cases, you want to have your Mac authentication users to be drop directly > into a production VLAN without doing anything to give them directly access on > the network for a roll out for example. > > I hope it makes it clearer. > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <https://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > >> On Apr 9, 2021, at 8:17 AM, Heusler Marie-Cécile >> <[email protected] <mailto:[email protected]>> >> wrote: >> >> >> But which source should the non-domain items use? >> vlan id2 is assigned to the registration role on the switch >> >> >> <pastedImage.png> >> <pastedImage.png> >> <pastedImage.png> >> <pastedImage.png> >> <pastedImage.png> >> >> >> >> >> >> >> >> >> >> >> >> De : Ludovic Zammit <[email protected] <mailto:[email protected]>> >> Envoyé : vendredi, 9 avril 2021 13:53 >> À : Heusler Marie-Cécile >> Cc : [email protected] >> <mailto:[email protected]> >> Objet : Re: VLAN for rejected machine >> >> Hello, >> >> Show me the conf/authentication.conf >> >> You are defiantly registering that device with source where the rule is not >> well configured. >> >> On each rule, you need to return a Access Duration / Unregistration date and >> a Role. >> >> The Role need to be configured with the VLAN ID on the switch config. >> >> Thanks, >> >> Ludovic Zammit >> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: >> www.inverse.ca <https://www.inverse.ca/> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >> <http://packetfence.org/>) >> >> >> >> >> >> >> >>> On Apr 9, 2021, at 12:22 AM, Heusler Marie-Cécile >>> <[email protected] <mailto:[email protected]>> >>> wrote: >>> >>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>> [mac:2c:44:fd:65:ab:27] handling radius autz request: from switch_ip => >>> (192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => >>> (00:16:b9:0b:37:0d), mac => [2c:44:fd:65:ab:27], port => 19, username => >>> "2c44fd65ab27" (pf::radius::authorize) >>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>> [mac:2c:44:fd:65:ab:27] Instantiate profile default >>> (pf::Connection::ProfileFactory::_from_profile) >>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>> [mac:2c:44:fd:65:ab:27] Match rule Email-on-role (pf::access_filter::test) >>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) INFO: >>> [mac:2c:44:fd:65:ab:27] Found authentication source(s) : >>> 'local,file1,MonDomaine' for realm 'null' >>> (pf::config::util::filter_authentication_sources) >>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) WARN: >>> [mac:2c:44:fd:65:ab:27] No category computed for autoreg >>> (pf::role::getNodeInfoForAutoReg) >>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) WARN: >>> [mac:2c:44:fd:65:ab:27] No role specified or found for pid 2c44fd65ab27 >>> (MAC 2c:44:fd:65:ab:27); assume maximum number of registered nodes is >>> reached (pf::node::is_max_reg_nodes_reached) >>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) ERROR: >>> [mac:2c:44:fd:65:ab:27] no role computed by any sources - registration of >>> 2c:44:fd:65:ab:27 to 2c44fd65ab27 failed >>> (pf::registration::setup_node_for_registration) >>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1235) ERROR: >>> [mac:2c:44:fd:65:ab:27] auto-registration of node failed no role computed >>> by any sources (pf::radius::authorize) >>> Apr 9 06:21:21 TPI-PF1 packetfence_httpd.webservices: >>> httpd.webservices(1907) WARN: [mac:2c:44:fd:65:ab:27] Unable to pull >>> accounting history for device 2c:44:fd:65:ab:27. The history set doesn't >>> exist yet. (pf::accounting_events_history::latest_mac_history) >>> >>> >>> De : Ludovic Zammit <[email protected] <mailto:[email protected]>> >>> Envoyé : jeudi, 8 avril 2021 18:32 >>> À : Heusler Marie-Cécile >>> Cc : [email protected] >>> <mailto:[email protected]> >>> Objet : Re: VLAN for rejected machine >>> >>> Unregister your device and give the output of: >>> >>> grep 2c:44:fd:65:ab:27 /usr/local/pf/logs/packetfence.log >>> >>> Thanks, >>> >>> Ludovic Zammit >>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>> :: www.inverse.ca <https://www.inverse.ca/> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>> <http://packetfence.org/>) >>> >>> >>> >>> >>> >>> >>> >>>> On Apr 8, 2021, at 12:03 PM, Heusler Marie-Cécile >>>> <[email protected] <mailto:[email protected]>> >>>> wrote: >>>> >>>> So it's weird, because here are my logs when I connect an off-domain >>>> machine : >>>> >>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: [mac:2c:44:fd:65:ab:27] Rejected user: >>>> 2c44fd65ab27 >>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Rejected in post-auth: >>>> [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli >>>> 2c:44:fd:65:ab:27) >>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Incorrect login: [2c44fd65ab27] >>>> (from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27) >>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: [mac:2c:44:fd:65:ab:27] Rejected user: >>>> 2c44fd65ab27 >>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Rejected in post-auth: >>>> [2c44fd65ab27] (from client 192.168.137.200/32 port 19 cli >>>> 2c:44:fd:65:ab:27) >>>> Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Incorrect login: [2c44fd65ab27] >>>> (from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27) >>>> >>>> And I get the message 'no role computed by any source >>>> >>>> >>>> However, if I create a 'null' source and create a profile with the filter >>>> "ethernet no-eap" and my null source, it works. >>>> >>>> >>>> >>>> De : Ludovic Zammit <[email protected] <mailto:[email protected]>> >>>> Envoyé : jeudi, 8 avril 2021 17:56 >>>> À : Heusler Marie-Cécile >>>> Cc : [email protected] >>>> <mailto:[email protected]> >>>> Objet : Re: VLAN for rejected machine >>>> >>>> No, it’s a default behavior, they will be put in VLAN 2 if they are >>>> unregistered. >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>>> :: www.inverse.ca <https://www.inverse.ca/> >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>> <http://packetfence.org/>) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Apr 8, 2021, at 10:25 AM, Heusler Marie-Cécile >>>>> <[email protected] <mailto:[email protected]>> >>>>> wrote: >>>>> >>>>> That's what I did, but do I have to create a specific source for that, >>>>> and a profile ? >>>>> De : Ludovic Zammit <[email protected] <mailto:[email protected]>> >>>>> Envoyé : jeudi, 8 avril 2021 16:11:59 >>>>> À : Heusler Marie-Cécile >>>>> Cc : [email protected] >>>>> <mailto:[email protected]> >>>>> Objet : Re: VLAN for rejected machine >>>>> >>>>> Ok so put VLAN 2 as the registration VLAN in your switch configuration >>>>> under Configuration > Policies and Access Control > Switches > Switch IP >>>>> > Roles > Registration -> 2 >>>>> >>>>> Thanks, >>>>> >>>>> Ludovic Zammit >>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>>>> :: www.inverse.ca <https://www.inverse.ca/> >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>> <http://packetfence.org/>) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Apr 8, 2021, at 9:48 AM, Heusler Marie-Cécile >>>>>> <[email protected] <mailto:[email protected]>> >>>>>> wrote: >>>>>> >>>>>> Not really. I just want that devices who don't match with my AD source >>>>>> go to the VLAN2 and can do nothing. >>>>>> >>>>>> >>>>>> >>>>>> De : Ludovic Zammit <[email protected] <mailto:[email protected]>> >>>>>> Envoyé : jeudi, 8 avril 2021 15:29 >>>>>> À : Heusler Marie-Cécile >>>>>> Cc : [email protected] >>>>>> <mailto:[email protected]> >>>>>> Objet : Re: VLAN for rejected machine >>>>>> >>>>>> Is this the registration VLAN ? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>> <http://packetfence.org/>) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Apr 8, 2021, at 8:12 AM, Heusler Marie-Cécile >>>>>>> <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> For the time being, VLAN2 simply serves as an isolation VLAN. The >>>>>>> workstations should not access anything from this VLAN. >>>>>>> >>>>>>> >>>>>>> De : Ludovic Zammit <[email protected] <mailto:[email protected]>> >>>>>>> Envoyé : jeudi, 8 avril 2021 13:33 >>>>>>> À : Heusler Marie-Cécile >>>>>>> Cc : [email protected] >>>>>>> <mailto:[email protected]> >>>>>>> Objet : Re: VLAN for rejected machine >>>>>>> >>>>>>> What’s the VLAN 2 and his purpose? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>> <http://packetfence.org/>) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Apr 8, 2021, at 1:38 AM, Heusler Marie-Cécile >>>>>>>> <[email protected] >>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>> >>>>>>>> The devices are, for example, laptops that are not part of the domain. >>>>>>>> I want them to enter VLAN2, but I don't know them in advance. >>>>>>>> >>>>>>>> Where do I specify that I want them to be in VLAN2, without their >>>>>>>> login failing with my AD source? >>>>>>>> >>>>>>>> What I've tried to do so far is to create a second Authorization >>>>>>>> source, and a new profile that uses that source. I don't know if this >>>>>>>> is correct. >>>>>>>> >>>>>>>> >>>>>>>> <pastedImage.png> >>>>>>>> >>>>>>>> >>>>>>>> <pastedImage.png> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>> De : Ludovic Zammit <[email protected] <mailto:[email protected]>> >>>>>>>> Envoyé : mercredi, 7 avril 2021 13:53:40 >>>>>>>> À : Heusler Marie-Cécile >>>>>>>> Cc : [email protected] >>>>>>>> <mailto:[email protected]> >>>>>>>> Objet : Re: VLAN for rejected machine >>>>>>>> >>>>>>>> With Mac authentication, you will need to pre-import your Mac address >>>>>>>> if you know them, create a VLAN filter that automatically a MAC OUI >>>>>>>> for example or you redirect the on the captive portal to give them an >>>>>>>> option to register themselves. >>>>>>>> >>>>>>>> In your case, if you don’t know them, you return a VLAN 2 (don’t >>>>>>>> forget to return VLAN 2 in the registration role in the switch >>>>>>>> configuration) and they will never get a role and registered. They >>>>>>>> will end up having access on VLAN 2. >>>>>>>> >>>>>>>> What are those devices ? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Ludovic Zammit >>>>>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >>>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>>> <http://packetfence.org/>) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Apr 7, 2021, at 1:25 AM, Heusler Marie-Cécile >>>>>>>>> <[email protected] >>>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>>> >>>>>>>>> Ok, I enabled mac authentication, but now here are my radius logs >>>>>>>>> once I connect the node to the switch: >>>>>>>>> >>>>>>>>> >>>>>>>>> Apr 7 07:19:51 TPI-PF1 auth[1944]: Adding client 192.168.137.200/32 >>>>>>>>> Apr 7 07:19:51 TPI-PF1 auth[1944]: [mac:98:e7:f4:14:44:f0] Accepted >>>>>>>>> user: and returned VLAN >>>>>>>>> Apr 7 07:19:51 TPI-PF1 auth[1944]: (3879) Login OK: [98e7f41444f0] >>>>>>>>> (from client 192.168.137.200/32 port 19 cli 98:e7:f4:14:44:f0) >>>>>>>>> >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>> [mac:98:e7:f4:14:44:f0] handling radius autz request: from switch_ip >>>>>>>>> => (192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => >>>>>>>>> (00:16:b9:0b:37:0d), mac => [98:e7:f4:14:44:f0], port => 19, username >>>>>>>>> => "98e7f41444f0" (pf::radius::authorize) >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>> [mac:98:e7:f4:14:44:f0] Instantiate profile default >>>>>>>>> (pf::Connection::ProfileFactory::_from_profile) >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>> [mac:98:e7:f4:14:44:f0] Match rule Email-on-role >>>>>>>>> (pf::access_filter::test) >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>> [mac:98:e7:f4:14:44:f0] Found authentication source(s) : >>>>>>>>> 'local,file1,MonDomaine' for realm 'null' >>>>>>>>> (pf::config::util::filter_authentication_sources) >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: >>>>>>>>> [mac:98:e7:f4:14:44:f0] No category computed for autoreg >>>>>>>>> (pf::role::getNodeInfoForAutoReg) >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>> [mac:98:e7:f4:14:44:f0] Match rule Email-on-role >>>>>>>>> (pf::access_filter::test) >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.webservices: >>>>>>>>> httpd.webservices(1790) WARN: [mac:98:e7:f4:14:44:f0] Unable to pull >>>>>>>>> accounting history for device 98:e7:f4:14:44:f0. The history set >>>>>>>>> doesn't exist yet. (pf::accounting_events_history::latest_mac_history) >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>> [mac:98:e7:f4:14:44:f0] Found authentication source(s) : >>>>>>>>> 'local,file1,MonDomaine' for realm 'null' >>>>>>>>> (pf::config::util::filter_authentication_sources) >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>> [mac:98:e7:f4:14:44:f0] Connection type is MAC-AUTH. Getting role >>>>>>>>> from node_info (pf::role::getRegisteredRole) >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: >>>>>>>>> [mac:98:e7:f4:14:44:f0] Use of uninitialized value $role in >>>>>>>>> concatenation (.) or string at /usr/local/pf/lib/pf/role.pm line 489. >>>>>>>>> (pf::role::getRegisteredRole) >>>>>>>>> Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: >>>>>>>>> [mac:98:e7:f4:14:44:f0] Username was NOT defined or unable to match a >>>>>>>>> role - returning node based role '' (pf::role::getRegisteredRole) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> I tried to create a new connection profile, but the result is the >>>>>>>>> same. >>>>>>>>> >>>>>>>>> Any ideas? >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> >>>>>>>>> De : Ludovic Zammit <[email protected] <mailto:[email protected]>> >>>>>>>>> Envoyé : mardi, 6 avril 2021 19:48 >>>>>>>>> À : Heusler Marie-Cécile >>>>>>>>> Cc : [email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> Objet : Re: VLAN for rejected machine >>>>>>>>> >>>>>>>>> You can’t because if those not joined machines connect over 802.1x >>>>>>>>> they will fail and stay there. >>>>>>>>> >>>>>>>>> What you want to do is 802.1x + Mac authentication bypass (MAB) on >>>>>>>>> the switch port. >>>>>>>>> >>>>>>>>> A none corporate machine should do MAB and land on the captive portal >>>>>>>>> and authenticate. If you want to skip that part, you can put VLAN ID >>>>>>>>> 2 in the registration role on the switch so everyone that do Mac >>>>>>>>> authentication would be redirected on VLAN 2. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Ludovic Zammit >>>>>>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >>>>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>>>> <http://packetfence.org/>) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Apr 6, 2021, at 1:33 PM, Heusler Marie-Cécile >>>>>>>>>> <[email protected] >>>>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>>>> >>>>>>>>>> Hello >>>>>>>>>> >>>>>>>>>> I have an authentication source that gives the role VLAN1 to the >>>>>>>>>> corporate machines. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <pastedImage.png> >>>>>>>>>> >>>>>>>>>> <pastedImage.png> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Now I want to give to the non-corporate machines the role VLAN2. >>>>>>>>>> However, I can't assign a role to a node that can't login to the >>>>>>>>>> source. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Adding client 10.104.92.130/32 >>>>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: (195) >>>>>>>>>> chrooted_mschap_machine: ERROR: Program returned code (1) and output >>>>>>>>>> 'Logon failure (0xc000006d)' >>>>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: (195) Login incorrect >>>>>>>>>> (chrooted_mschap_machine: Program returned code (1) and output >>>>>>>>>> 'Logon failure (0xc000006d)'): [host/client.tpi.local] (from client >>>>>>>>>> 10.104.92.130/32 port 21 cli 2c:44:fd:65:ab:27 via TLS tunnel) >>>>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: [mac:2c:44:fd:65:ab:27] >>>>>>>>>> Rejected user: host/client.tpi.local >>>>>>>>>> Apr 6 19:11:06 packetfence auth[19459]: (196) Login incorrect >>>>>>>>>> (eap_peap: The users session was previously rejected: returning >>>>>>>>>> reject (again.)): [host/client.tpi.local] (from client >>>>>>>>>> 10.104.92.130/32 port 21 cli 2c:44:fd:65:ab:27) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> A client that are not in the domain will have a login incorrect. But >>>>>>>>>> how can I say that every client out of the domain will move to the >>>>>>>>>> VLAN2 role ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thank you for your reply.
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
