Re: [PacketFence-users] Allowing different access levels for MAB vs EAP-TLS clients

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello David,

On 30/01/2020 15:54, David Harvey via PacketFence-users wrote:
> I currently have a functional setup where users get allocated their 
> VLANs properly regardless of if they do MAB or EAP, but I've not for 
> love nor money been able to work out how to discriminate between the two 
> effectively.
You can use two connection profiles to distinguish EAP-TLS and MAB (on 
wired):
#v+
# cat profiles.conf
[eap-tls]
locale=
filter=connection_type:Ethernet-EAP,connection_sub_type:EAP-TLS

[mab]
locale=
filter=connection_type:Ethernet-NoEAP
#v-

But IIRC, handle broken EAP clients could be tricky. In fact, it's hard 
to distinguish a bad configured supplicant from an unauthorized 
supplicant. I'm not sure your network devices will always fallback to 
MAB when you've a bad configured supplicant that receive a RADIUS reject 
message (e.g. due to an expired cert). RADIUS and VLAN filters could 
certainly help you.
-- 
Nicolas Quiniou-Briand
nq...@in...  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)