Implement MAB #114
Comments
|
I'll take a look at this. Preemptive Identity Requests (#46) will help. Basic process:
|
|
Thanks -- I don't know much about the current implementation, but all looks
good to me!
One question -- "Success as usual, apply ACL" -- is there any
documentation/description of what this ACL is? I was looking through the
Faucet_dot1x code and it wasn't immediately obvious, and wasn't quite sure
where to look...
…On Wed, Feb 20, 2019 at 3:33 PM Michael Baird ***@***.***> wrote:
I'll take a look at this.
Preemptive Identity Requests (#46
<#46>) will help.
Basic process:
1. Preemptively send EAP Identity Request (Issue #46
<#46>)
2. EAPOL timeout
3. Get MAC address via:
a) Redirect all packets (or a subset) to Chewie. Could be way to DOS
Chewie - could use a meter. May want to add a 'redirect' ACL to the dynamic
ACL PR on Faucet (faucetsdn/faucet#2703
<faucetsdn/faucet#2703>), so user can
configure what to redirect.
b) Learning pipeline. drop at output (requires egress table).
4. Send RADIUS request (without the EAP) to RADIUS. RADIUS then
performs authentication.
5. Success as usual, apply ACL.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABBHj_1zOYKAYJh5Th9JE0mO5v5uMV80ks5vPdtigaJpZM4bFrwG>
.
|
|
The current success ACL is a basic allow anything on the authenticated port with the src MAC address through. https://github.com/faucetsdn/faucet/blob/master/faucet/valve_acl.py#L250 faucetsdn/faucet#2703 will add the configuration option for ACLs on success/failure to be defined by the user. A later version will allow ACLs to be applied based on the RADIUS attributes in the Access-Accept. |
|
@gizmoguy Can you close this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Implement MAB when EaPOL times out. Needed for IoT devices.
The text was updated successfully, but these errors were encountered: