Re: [PacketFence-users] VLAN for rejected machine

[Heusler Marie-Cécile via PacketFence-users]

So it's weird, because here are my logs when I connect an off-domain machine :

Apr 8 18:02:06 TPI-PF1 auth[1993]: [mac:2c:44:fd:65:ab:27] Rejected user: 
2c44fd65ab27
Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Rejected in post-auth: [2c44fd65ab27] 
(from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27)
Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Incorrect login: [2c44fd65ab27] (from 
client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27)
Apr 8 18:02:06 TPI-PF1 auth[1993]: [mac:2c:44:fd:65:ab:27] Rejected user: 
2c44fd65ab27
Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Rejected in post-auth: [2c44fd65ab27] 
(from client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27)
Apr 8 18:02:06 TPI-PF1 auth[1993]: (3098) Incorrect login: [2c44fd65ab27] (from 
client 192.168.137.200/32 port 19 cli 2c:44:fd:65:ab:27)

And I get the message 'no role computed by any source


However, if I create a 'null' source and create a profile with the filter 
"ethernet no-eap" and my null source, it works.



________________________________
De : Ludovic Zammit <lzam...@inverse.ca>
Envoyé : jeudi, 8 avril 2021 17:56
À : Heusler Marie-Cécile
Cc : packetfence-users@lists.sourceforge.net
Objet : Re: VLAN for rejected machine

No, it’s a default behavior, they will be put in VLAN 2 if they are 
unregistered.

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<https://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On Apr 8, 2021, at 10:25 AM, Heusler Marie-Cécile 
<marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote:

That's what I did, but do I have to create a specific source for that, and a 
profile ?
________________________________
De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>>
Envoyé : jeudi, 8 avril 2021 16:11:59
À : Heusler Marie-Cécile
Cc : 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Objet : Re: VLAN for rejected machine

Ok so put VLAN 2 as the registration VLAN in your switch configuration under 
Configuration > Policies and Access Control > Switches > Switch IP > Roles > 
Registration -> 2

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<https://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On Apr 8, 2021, at 9:48 AM, Heusler Marie-Cécile 
<marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote:

Not really. I just want that devices who don't match with my AD source go to 
the VLAN2 and can do nothing.


________________________________

De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>>
Envoyé : jeudi, 8 avril 2021 15:29
À : Heusler Marie-Cécile
Cc : 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Objet : Re: VLAN for rejected machine

Is this the registration VLAN ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<https://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On Apr 8, 2021, at 8:12 AM, Heusler Marie-Cécile 
<marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote:

For the time being, VLAN2 simply serves as an isolation VLAN. The workstations 
should not access anything from this VLAN.


________________________________
De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>>
Envoyé : jeudi, 8 avril 2021 13:33
À : Heusler Marie-Cécile
Cc : 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Objet : Re: VLAN for rejected machine

What’s the VLAN 2 and his purpose?

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<https://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On Apr 8, 2021, at 1:38 AM, Heusler Marie-Cécile 
<marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote:


The devices are, for example, laptops that are not part of the domain. I want 
them to enter VLAN2, but I don't know them in advance.

Where do I specify that I want them to be in VLAN2, without their login failing 
with my AD source?

What I've tried to do so far is to create a second Authorization source, and a 
new profile that uses that source. I don't know if this is correct.


<pastedImage.png>


<pastedImage.png>



Thanks

________________________________
De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>>
Envoyé : mercredi, 7 avril 2021 13:53:40
À : Heusler Marie-Cécile
Cc : 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Objet : Re: VLAN for rejected machine

With Mac authentication, you will need to pre-import your Mac address if you 
know them, create a VLAN filter that automatically a MAC OUI for example or you 
redirect the on the captive portal to give them an option to register 
themselves.

In your case, if you don’t know them, you return a VLAN 2 (don’t forget to 
return VLAN 2 in the registration role in the switch configuration) and they 
will never get a role and registered. They will end up having access on VLAN 2.

What are those devices ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<https://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On Apr 7, 2021, at 1:25 AM, Heusler Marie-Cécile 
<marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote:


Ok, I enabled mac authentication, but now here are my radius logs once I 
connect the node to the switch:


Apr 7 07:19:51 TPI-PF1 auth[1944]: Adding client 192.168.137.200/32
Apr 7 07:19:51 TPI-PF1 auth[1944]: [mac:98:e7:f4:14:44:f0] Accepted user: and 
returned VLAN
Apr 7 07:19:51 TPI-PF1 auth[1944]: (3879) Login OK: [98e7f41444f0] (from client 
192.168.137.200/32 port 19 cli 98:e7:f4:14:44:f0)

Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: 
[mac:98:e7:f4:14:44:f0] handling radius autz request: from switch_ip => 
(192.168.137.200), connection_type => Ethernet-NoEAP,switch_mac => 
(00:16:b9:0b:37:0d), mac => [98:e7:f4:14:44:f0], port => 19, username => 
"98e7f41444f0" (pf::radius::authorize)
Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: 
[mac:98:e7:f4:14:44:f0] Instantiate profile default 
(pf::Connection::ProfileFactory::_from_profile)
Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: 
[mac:98:e7:f4:14:44:f0] Match rule Email-on-role (pf::access_filter::test)
Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: 
[mac:98:e7:f4:14:44:f0] Found authentication source(s) : 
'local,file1,MonDomaine' for realm 'null' 
(pf::config::util::filter_authentication_sources)
Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: 
[mac:98:e7:f4:14:44:f0] No category computed for autoreg 
(pf::role::getNodeInfoForAutoReg)
Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: 
[mac:98:e7:f4:14:44:f0] Match rule Email-on-role (pf::access_filter::test)
Apr 7 07:19:51 TPI-PF1 packetfence_httpd.webservices: httpd.webservices(1790) 
WARN: [mac:98:e7:f4:14:44:f0] Unable to pull accounting history for device 
98:e7:f4:14:44:f0. The history set doesn't exist yet. 
(pf::accounting_events_history::latest_mac_history)
Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: 
[mac:98:e7:f4:14:44:f0] Found authentication source(s) : 
'local,file1,MonDomaine' for realm 'null' 
(pf::config::util::filter_authentication_sources)
Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: 
[mac:98:e7:f4:14:44:f0] Connection type is MAC-AUTH. Getting role from 
node_info (pf::role::getRegisteredRole)
Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) WARN: 
[mac:98:e7:f4:14:44:f0] Use of uninitialized value $role in concatenation (.) 
or string at /usr/local/pf/lib/pf/role.pm line 489.
(pf::role::getRegisteredRole)
Apr 7 07:19:51 TPI-PF1 packetfence_httpd.aaa: httpd.aaa(1218) INFO: 
[mac:98:e7:f4:14:44:f0] Username was NOT defined or unable to match a role - 
returning node based role '' (pf::role::getRegisteredRole)



I tried to create a new connection profile, but the result is the same.

Any ideas?

Thanks


________________________________
De : Ludovic Zammit <lzam...@inverse.ca<mailto:lzam...@inverse.ca>>
Envoyé : mardi, 6 avril 2021 19:48
À : Heusler Marie-Cécile
Cc : 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Objet : Re: VLAN for rejected machine

You can’t because if those not joined machines connect over 802.1x they will 
fail and stay there.

What you want to do is 802.1x + Mac authentication bypass (MAB) on the switch 
port.

A none corporate machine should do MAB and land on the captive portal and 
authenticate. If you want to skip that part, you can put VLAN ID 2 in the 
registration role on the switch so everyone that do Mac authentication would be 
redirected on VLAN 2.

Thanks,

Ludovic Zammit
lzam...@inverse.ca<mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca<https://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org<http://packetfence.org/>)







On Apr 6, 2021, at 1:33 PM, Heusler Marie-Cécile 
<marie-cecile.heus...@divtec.ch<mailto:marie-cecile.heus...@divtec.ch>> wrote:

Hello

I have an authentication source that gives the role VLAN1 to the corporate 
machines.


<pastedImage.png>

<pastedImage.png>


Now I want to give to the non-corporate machines the role VLAN2. However, I 
can't assign a role to a node that can't login to the source.


Adding client 10.104.92.130/32
Apr 6 19:11:06 packetfence auth[19459]: (195) chrooted_mschap_machine: ERROR: 
Program returned code (1) and output 'Logon failure (0xc000006d)'
Apr 6 19:11:06 packetfence auth[19459]: (195) Login incorrect 
(chrooted_mschap_machine: Program returned code (1) and output 'Logon failure 
(0xc000006d)'): [host/client.tpi.local] (from client 10.104.92.130/32 port 21 
cli 2c:44:fd:65:ab:27 via TLS tunnel)
Apr 6 19:11:06 packetfence auth[19459]: [mac:2c:44:fd:65:ab:27] Rejected user: 
host/client.tpi.local
Apr 6 19:11:06 packetfence auth[19459]: (196) Login incorrect (eap_peap: The 
users session was previously rejected: returning reject (again.)): 
[host/client.tpi.local] (from client 10.104.92.130/32 port 21 cli 
2c:44:fd:65:ab:27)


A client that are not in the domain will have a login incorrect. But how can I 
say that every client out of the domain will move to the VLAN2 role ?


Thank you for your reply.



_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users