inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.39k stars 292 forks source link

connection_sub_type=MS-EAP-Authentication match when doing EAP-PEAP-MSCHAPv2 #5426

Open nqb opened 4 years ago

nqb commented 4 years ago

Is your feature request related to a problem? Please describe. Currently, when you want to match connexions using EAP-PEAP-MSCHAPv2, you need to use following filter: connection_sub_type=MS-EAP-Authentication which is not obvious (as mentioned in #5280). On top of that, if you check RADIUS audit log of your request, EAP Type is set to MSCHAPv2

Describe the solution you'd like Use a connection_sub_type filter that contains MSCHAPv2 pattern to match this type of connection.

Describe alternatives you've considered Display the sub type within the node info in the radius auditing log so users can read it and match on it.

jrouzierinverse commented 4 years ago

Which type of filter are you talking about?

jrouzierinverse commented 4 years ago

We already support 'MS-CHAP-V2' as a connection_sub_type would that be enough?

fdurand commented 4 years ago

it's just because a confusion, if you check lib/pf/constants/eap_type.pm you can see:

    "MS-EAP-Authentication" => 26,
    "EAP-MSCHAP-V2" => 29,
    "Microsoft-MS-CHAPv2" => 26,
    "MS-CHAP-V2" => 26,

26 is what we use but 29 is what we choose.

jrouzierinverse commented 4 years ago

So what should be done to reduce the confusion?

fdurand commented 4 years ago

Do we compare with the number and not the string ? If it's the case then we probably needs to add a new one like "THIS_IS_THE_ONE_TO_USE_IF_YOU_WANT_TO_MATCH_EAP_PEAP_MSCHAPV2"

jrouzierinverse commented 4 years ago

We compare against the number internally we convert it to a number internally