search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.39k stars 291 forks source link

Default connection profile - allow disable/move or modify behavior to never determine whether a connection succeeds #8361

Closed E-ThanG closed 2 days ago

E-ThanG commented 1 month ago

Is your feature request related to a problem? Please describe. I've often found that when I make a misconfiguration the default connection profile can let the connection succeed. In some cases it turns into a fail-open type of scenario.

Describe the solution you'd like Either of these options would be good:

  1. The default connection profile is allowed to be moved around. If I place it at the bottom of the list I could add a default deny rule prior to it so that the default rule would never come into play. I don't see why we need a default rule that is permanently fixed to the top of the list. Cisco ISE also has default policy that can't be deleted, but it's at the bottom of the list and all the custom rules go above it.
  2. The default connection profile is able to be disabled or deleted.
  3. The default connection profile is mostly unchanged, only the behavior is modified to where it can never be the profile that makes the permit/deny decision. It's just there for sub-profile inheritance. This might be a breaking change for installations that rely on the default profile though.
satkunas commented 2 days ago

Fail-open is a default behaviour on the default configuration. First-match wins, and if there is no-match then the default connection profile is used. Reconfigure the default connection profile to deny/reject.

E-ThanG commented 1 day ago

Since it's first match, shouldn't the default profile be pined to the bottom of the list then?

Also, if I change the default profile, other profiles get changed at the same time. I often break other things that were previously working when I make any changes to the default.

I do have the default connection profile set to deny. I even have an earlier profile set to deny all connections. Perhaps I'm doing something wrong. I fully admit that there is a knowledge barrier here. I'm relatively new to PacketFence, but not at all new to RADIUS. Most of my experience is with Cisco ISE. IMO PacketFence is difficult to set up, it has a high cost of entry in terms of knowledge specific to PacketFence.