Re: [PacketFence-users] secure AP Uplink Ports

[Mudrich, J. via PacketFence-users]

Hello Michael,

I setup a new RADIUS filter with the following settings:

Condition:
                Node_info.mac starts with xx:xx:xx (vendor part of MAC)
Merge Answer: yes
Answer:
                Reply Egreess-VLANID 1
                Reply Egreess-VLANID 4
Reply Egreess-VLANID 200
                Replay HP-Port-MA-Port-Mode 1

The final RADIUS Reply:
REST-HTTP-Status-Code = 200
Reply-Message = "Request processed by PacketFence"
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
Egress-VLANID = 1
Egress-VLANID = 4
Egress-VLANID = 200
HP-Port-MA-Port-Mode = 1
Tunnel-Private-Group-Id = "254"

All VLAN IDs are present on the switch.
But the switch says:

Log:
02400 dca: macAuth client, RADIUS-assigned VID validation
            error. MAC C8665D6E5AC0 port 5 VLAN-Id 0 or unknown.

Port-Access:
Port Access MAC-Based Status
         Auths/  Unauth  Untagged Tagged          % In  RADIUS Cntrl
  Port   Guests  Clients VLAN     VLANs  Port COS Limit ACL    Dir   Port Mode



Johannes Mudrich
Mitarbeiter
IT

Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen

Tel.:    03907 791229
Fax.:    03907 791248
Mail:    j.mudr...@altmark-klinikum.de

------ ------- ------- -------- ------ -------- ----- ------ ----- ----------
  5      0/0     1       None     No     No       No    No     both  1000FDx

It’s a HPE/Aruba 2510-48G (J9772A)

What did I miss?
And how do I check for registered devices only in the filter conditions? 
Couldn’t find a suitable option even in the developers guide. Is there a 
documentation somewhere describing all the options?
I also tried “radius_request.calling-station-id” at first. But this didn’t work 
at all. So I switched to “node_info.mac”.

When I remove the Egress-VLANs from the filter, it seems to works. Just without 
the tagged VLANs.

Thanks
Johannes


Von: michael.weber [mailto:michael.we...@my-chi.de]
Gesendet: Donnerstag, 23. März 2023 13:57
An: Mudrich, J. <j.mudr...@altmark-klinikum.de>
Cc: packetfence-users@lists.sourceforge.net
Betreff: Re: AW: [PacketFence-users] secure AP Uplink Ports

Let me know if you some more input. I can provide screenshots and other stuff, 
that's not a problem :)

Am 23.03.2023 08:48 schrieb "Mudrich, J." 
<j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>>:
Hello Michael,

THANK YOU! That sounds promising. Now I just have to understand. :D
I’ll get back to you if I have further questions.

Kind regards
Johannes







Johannes Mudrich
Mitarbeiter
IT

Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen
Tel.:

 03907 791229

Fax.:

 03907 791248

Mail:

 j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>

Von: Michael Weber [mailto:michael.we...@my-chi.de]
Gesendet: Donnerstag, 23. März 2023 07:53
An: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Mudrich, J. 
<j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>>
Betreff: AW: [PacketFence-users] secure AP Uplink Ports

Hello Johannes Mudrich

Perhaps this idea is what you are looking for 😊

to secure our APs we do the following:

  1.  MAC authentication for our APs
  2.  Create Radius Filter Engine that matches your AP/requirements and Modify 
the Reply:

Answers:

Reply:Egress-VLAN-Name - 1VLXXX-VLAN1

Reply:Egress-VLAN-Name - 1VLXXX-VLAN2

Reply:HP-Port-MA-Port-Mode - 1



Scopes

returnRadiusAccessAccept

This is working with our HP Switches and should work with every AP (if your 
Radius Filter is set correct 😉 )
Idea: detect the AP in the Port, authenticate it based on your rules and modify 
the the radius answer to set the allowed tagged VLANs and set the Port from 
user based authentication to port based (HP-Port-MA-Port-Mode / 
HPE-Port-MA-Port-Mode). That way the AP will “unlock” the switchport as long as 
a link is active.
“Generally, the “Port Based” method supports one 802.1X-authenticated client on 
a port, which opens the port to an unlimited number of clients.”

If someone unpluggs the AP the Port switches back to user based, and no 
“unsecure” devices are allowed. Plug in the AP, the normal Authentication is 
done and based on the RADIUS Filter configured before the RADIUS response will 
contain the “command” to switch back to port based authentication.

WiFi Clients are automatically allowed on the switchport. You must configure 
802.1x/MAC auth on the WiFi Controller/AP to authentication the WiFi clients.

I am only using HPe but other vendors should be able to switch the 802.1x 
Authentication to Port-based, too.


Best  Regards
Michael Weber

Von: Mudrich, J. via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Gesendet: Mittwoch, 22. März 2023 07:26
An: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Mudrich, J. 
<j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>>
Betreff: Re: [PacketFence-users] secure AP Uplink Ports

Hello Mirko,

the Problem with MAC based authentication is, that the port will be blocked as 
soon as a new MAC is registered on the port. So this doesn’t work for access 
point uplink ports. Especially when providing a guest SSID.
On our switches port-security only works with SNMP-traps which I didn’t want to 
setup since we already configured everything for RADIUS. Also it didn’t work 
with PF for some reason.

kind regards
Johannes

Von: sgiops sgiops via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Gesendet: Dienstag, 21. März 2023 15:29
An: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: sgiops sgiops <thesgi...@gmail.com<mailto:thesgi...@gmail.com>>
Betreff: Re: [PacketFence-users] secure AP Uplink Ports

Hello Johannes,

Maybe you are describing the "port-security" functionality (this is usually a 
feature provided by the switch OS). Or you can use mac address based 
authentication by manually registering the node (AP).

Regards

Mirko

Il giorno mar 21 mar 2023 alle ore 15:19 Mudrich, J. via PacketFence-users 
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
 ha scritto:
Hello everyone,

I have another question regarding port security: Is there any way I can secure 
a port on an edge switch where an access point is connected?
I’m thinking of a scenario where someone takes a ladder, pulls the cable from 
an access point and connects his own device.
Maybe some mechanism like: If port comes up without APs MAC, close the port.

Thanks
Johannes


Johannes Mudrich
Mitarbeiter
IT

Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen
Tel.:

 03907 791229

Fax.:

 03907 791248

Mail:

 j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>


[cid:image001.png@01D95D61.164AC4F0]<https://www.salusaltmarkholding.de/>

Salus Altmark Holding gGmbH
Tel.: +49 39325700
Sitz der Gesellschaft:
Seepark 5 | 39116 Magdeburg
www.salusaltmarkholding.de<https://www.salusaltmarkholding.de>

[cid:image002.png@01D95D61.164AC4F0]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.instagram.com%2fsalusaltmarkholding%2f&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-ad373ec5dbccc94ec82f17e0ec30cf2a06af4445>
 [cid:image003.png@01D95D61.164AC4F0] 
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.facebook.com%2fSalusAltmarkHolding&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-f35887faea570e08d5c4784d2c3d0a7f01fc396c>
  [cid:image004.png@01D95D61.164AC4F0] 
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fde.linkedin.com%2fcompany%2fsalus%2dggmbh&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-438da3e55fc4fc2089ba5ceb19c1b3740e0e627c>
  [cid:image005.png@01D95D61.164AC4F0] 
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.xing.com%2fpages%2fsalusaltmarkholdingggmbh&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-19f49f8e02c4aaa3b1c763f0a5fc5a377da1394f>
  [cid:image006.png@01D95D61.164AC4F0] 
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.youtube.com%2fuser%2fSALUSgGmbH&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-52911fcf4a921f402e1f47166a7761d29c0fc4eb>


Registergericht: AG Stendal: HRB 112594
Geschäftsführer: Jürgen Richter
Aufsichtsratsvorsitz: Wolfgang Beck
Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch 
gespeichert werden. Nähere Informationen: 
www.salusaltmarkholding.de/datenschutz<https://www.salusaltmarkholding.de/datenschutz>


Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an.
Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf.



Johannes Mudrich
Mitarbeiter
IT

Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen
Tel.:

 03907 791229

Fax.:

 03907 791248

Mail:

 j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.sourceforge.net%2flists%2flistinfo%2fpacketfence%2dusers&umid=68CF739B-F790-CF05-B367-97AFFC11F843&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-0852dc3a501a63499af9bd1956b065734995a301








_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users