Home > User Interface > Configuration > Advanced Access Configuration > Filter Engines
|
Menu path: Configuration > Advanced Access Configuration Overview > Filter Engines.
Filter Engines pages are editable text files associated with several network services.
Note
This is an advanced operation and should be used with caution.Comments at the top of each of the filter files describe their format and are repeated for each filter. The filters available for editing are:
# filter can be:
#
# user_agent
# uri
#
# method can be:
#
# POST
# GET
#
# operator can be:
# is
# is_not
# match
# match_not
#
# action can be any of the HTTP status codes
#
# redirect_url can be any URL you would like, but you must remember
# to set the action to 302 for redirection.
#
# Examples:
#
## Only accept a list of user agents
#[not_allowed_uas_post]
#filter = user_agent
#method = POST
#operator = match_not
#value = Mozilla|Microsoft|Dalvik|collectd|CaptiveNetworkSupport|BlackBerry
#[not_allowed_uas_get]
#filter = user_agent
#method = GET
#operator = match_not
#value = Mozilla|Microsoft|Dalvik|collectd|CaptiveNetworkSupport|BlackBerry
#[501_blacklisted_uas:not_allowed_uas_post|not_allowed_uas_get]
#action = 501
#redirect_url =
# DHCP Filter Configuration
# =========================
#
# Scopes
# ------
#
# It's possible to return custom attributes in the dhcp answer in the specific scopes
# - Discover: Rewrite the dhcp Offer
# - Request: Rewrite the dhcp ACK
#
# A "Dhcp filter" configuration is mainly constituted of two (2) parts; rules(s)/condition(s) and action(s)
# Some working examples covering useful use cases can be found at the bottom of this file
#
# Rule(s)/Condition(s)
# --------------------
# Structure example of a rule/condition
# [NAMEOFRULE]
# filter = FILTER
# operator = OPERATOR
# value = VALUE
#
# Filter can be:
# options.optionVendorClassIdentifier
# Like: MSFT 5.0, android-dhcp-8.1.0
# options.optionDHCPMessageType
# 1 for Discover
# 3 for Request
# 4 for Decline
# 7 for Release
# 8 for Inform
# options.optionClientIdentifier
# is the mac of teh device like 001122334455
# options.optionParameterRequestList
# options.optionMaximumDHCPMessageSize
# node_info.autoreg
# node_info.status
# node_info.bypass_vlan
# node_info.bandwidth_balance
# node_info.regdate
# node_info.bypass_role
# node_info.device_class
# node_info.device_type
# node_info.device_version
# node_info.device_score
# node_info.pid
# node_info.machine_account
# node_info.category
# node_info.mac
# node_info.last_arp
# node_info.lastskip
# node_info.last_dhcp
# node_info.user_agent
# node_info.computername
# node_info.dhcp_fingerprint
# node_info.detect_date
# node_info.voip
# node_info.notes
# node_info.time_balance
# node_info.sessionid
# node_info.dhcp_vendor
# node_info.unregdate
# fingerbank_info.device_name
# fingerbank_info.device_fq
# fingerbank_info.device_hierarchy_names
# fingerbank_info.device_hierarchy_ids
# fingerbank_info.score
# fingerbank_info.version
# fingerbank_info.mobile
# mac
#
# For the options filter, you can use all the attributes you can have
# in the DHCP request (run tcpdump to see what are the attributes)
#
# Operator can be:
# is
# is_not
# match
# match_not
# defined
# not_defined
# regex
# date_is_before
# date_is_after
# time
#
# Example of Value can be :
#
# 'fingerbank_info' => {
# 'device_fq' => 'Phone, Tablet or Wearable/Generic Android/LGE Android/Nexus 5X',
# 'device_name' => 'Nexus 5X',
# 'version' => '8.1.0',
# 'score' => '75',
# 'mobile' => 1,
# 'device_hierarchy_names' => [
# 'Nexus 5X',
# 'LGE Android',
# 'Generic Android',
# 'Phone, Tablet or Wearable'
# ],
# 'device_hierarchy_ids' => [
# 7939,
# 2805,
# 202,
# 11
# ]
# },
# 'violation' => undef,
# 'node_info' => {
# 'autoreg' => 'no',
# 'last_port' => '1',
# 'device_class' => 'Android OS',
# 'bandwidth_balance' => undef,
# 'bypass_role' => undef,
# 'device_type' => 'Nexus 5X',
# 'pid' => 'default',
# 'dhcp6_enterprise' => '',
# 'last_seen' => '2018-10-22 15:50:55',
# 'dhcp6_fingerprint' => '',
# 'category' => undef,
# 'mac' => '78:f8:82:9f:11:9d',
# 'lastskip' => '0000-00-00 00:00:00',
# 'last_dhcp' => '2018-10-22 12:23:20',
# 'user_agent' => 'Mozilla/5.0 (Linux; Android 8.1.0; Nexus 5X Build/OPM7.181005.003) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36',
# 'dhcp_fingerprint' => '1,3,6,15,26,28,51,58,59,43',
# 'computername' => '',
# 'detect_date' => '2018-10-15 16:07:37',
# 'last_connection_sub_type' => '',
# 'last_vlan' => '135',
# 'bypass_role_id' => undef,
# 'last_role' => 'registration',
# 'last_switch' => '172.20.110.250',
# 'dhcp_vendor' => 'android-dhcp-8.1.0',
# 'unregdate' => '0000-00-00 00:00:00',
# 'device_version' => '8.1.0',
# 'status' => 'unreg',
# 'bypass_vlan' => undef,
# 'regdate' => '0000-00-00 00:00:00',
# 'last_dot1x_username' => '78f8829f119d',
# 'category_id' => undef,
# 'tenant_id' => '1',
# 'last_connection_type' => 'Wireless-802.11-NoEAP',
# 'machine_account' => undef,
# 'realm' => 'null',
# 'last_ssid' => 'baguettefence',
# 'last_arp' => '0000-00-00 00:00:00',
# 'device_score' => '75',
# 'last_start_timestamp' => '1539634057',
# 'stripped_user_name' => '78f8829f119d',
# 'voip' => 'no',
# 'device_manufacturer' => 'LG Electronics',
# 'notes' => undef,
# 'time_balance' => undef,
# 'last_switch_mac' => '74:26:ac:cf:7d:60',
# 'last_start_time' => '2018-10-15 16:07:37',
# 'sessionid' => 'fa6e14ac0000048c9f29ce5b'
# 'options' => {
# 'optionVendorClassIdentifier' => 'android-dhcp-8.1.0',
# 'optionDHCPMessageType' => '1',
# 'optionClientIdentifier' => '0178f8829f119d',
# 'optionParameterRequestList' => '1,3,6,15,26,28,51,58,59,43',
# 'optionMaximumDHCPMessageSize' => '1500'
# },
# 'mac' => '78:f8:82:9f:11:9d'
#
# Actions
# -------
# Structure example of an action
# [NAMEOFTHEACTION:RULE&RULE2&RULE3]
# scope = Request
# answer1 = 5 => 172.20.135.4
# answer2 = 51 => 300
# action = ACTION
# action_param = ACTION PARAMETERS
#
#
# Make sure to note the followings when defining an action:
# - Actions are triggered on a first hit match, based on the order in the 'dhcp_filters.conf' file
# - Action names must be unique
# - Action definitions (what's inside []) contains the unique name, ':' delimiter, and some valid rule(s)/condition(s) names appended using boolean operators
#
# Scope can be:
# - see beginning of this file for possible scope. They are usually extensions points of endpoint connection flow
#
#
# Answer can be:
# - the dhcp option number and the value associated or the special value to reject the dhcp request "Reject => True"
#
# 1 OptionSubnetMask
# 2 OptionTimeOffset
# 3 OptionRouter
# 4 OptionTimeServer
# 5 OptionNameServer
# 6 OptionDomainNameServer
# 7 OptionLogServer
# 8 OptionCookieServer
# 9 OptionLPRServer
# 10 OptionImpressServer
# 11 OptionResourceLocationServer
# 12 OptionHostName
# 13 OptionBootFileSize
# 14 OptionMeritDumpFile
# 15 OptionDomainName
# 16 OptionSwapServer
# 17 OptionRootPath
# 18 OptionExtensionsPath
# 19 OptionIPForwardingEnableDisable
# 20 OptionNonLocalSourceRoutingEnableDisable
# 21 OptionPolicyFilter
# 22 OptionMaximumDatagramReassemblySize
# 23 OptionDefaultIPTimeToLive
# 24 OptionPathMTUAgingTimeout
# 25 OptionPathMTUPlateauTable
# 26 OptionInterfaceMTU
# 27 OptionAllSubnetsAreLocal
# 28 OptionBroadcastAddress
# 29 OptionPerformMaskDiscovery
# 30 OptionMaskSupplier
# 31 OptionPerformRouterDiscovery
# 32 OptionRouterSolicitationAddress
# 33 OptionStaticRoute
# 34 OptionTrailerEncapsulation
# 35 OptionARPCacheTimeout
# 36 OptionEthernetEncapsulation
# 37 OptionTCPDefaultTTL
# 38 OptionTCPKeepaliveInterval
# 39 OptionTCPKeepaliveGarbage
# 40 OptionNetworkInformationServiceDomain
# 41 OptionNetworkInformationServers
# 42 OptionNetworkTimeProtocolServers
# 43 OptionVendorSpecificInformation
# 44 OptionNetBIOSOverTCPIPNameServer
# 45 OptionNetBIOSOverTCPIPDatagramDistributionServer
# 46 OptionNetBIOSOverTCPIPNodeType
# 47 OptionNetBIOSOverTCPIPScope
# 48 OptionXWindowSystemFontServer
# 49 OptionXWindowSystemDisplayManager
# 50 OptionRequestedIPAddress
# 51 OptionIPAddressLeaseTime
# 52 OptionOverload
# 53 OptionDHCPMessageType
# 54 OptionServerIdentifier
# 55 OptionParameterRequestList
# 56 OptionMessage
# 57 OptionMaximumDHCPMessageSize
# 58 OptionRenewalTimeValue
# 59 OptionRebindingTimeValue
# 60 OptionVendorClassIdentifier
# 61 OptionClientIdentifier
# 62 OptionNetwareIPDomain
# 63 OptionNetwareIPInformation
# 64 OptionNetworkInformationServicePlusDomain
# 65 OptionNetworkInformationServicePlusServers
# 66 OptionTFTPServerName
# 67 OptionBootFileName
# 68 OptionMobileIPHomeAgent
# 69 OptionSimpleMailTransportProtocol
# 70 OptionPostOfficeProtocolServer
# 71 OptionNetworkNewsTransportProtocol
# 72 OptionDefaultWorldWideWebServer
# 73 OptionDefaultFingerServer
# 74 OptionDefaultInternetRelayChatServer
# 75 OptionStreetTalkServer
# 76 OptionStreetTalkDirectoryAssistance
# 77 OptionUserClass
# 82 OptionRelayAgentInformation
# 93 OptionClientArchitecture
# 100 OptionTZPOSIXString
# 101 OptionTZDatabaseString
# 121 OptionClasslessRouteFormat
#
# Action can be:
# deregister_node (require param => mac)
# register_node (require param => mac pid)
# modify_node (require param => mac)
# trigger_violation (require param => mac tid type)
#
# Action parameter can be:
# - The require param and optional attributes like (for action = modify_node):
# action_param = mac = $mac
#
#
# EXAMPLES
# --------
#
#[android_by_name]
#filter = fingerbank_info.device_hierarchy_names
#operator = includes
#value = Generic Android
#[1:android_by_name]
#scope = Discover
#answer1 = 5 => 172.20.135.4
#answer2 = 51 => 300
#[2:android_by_name]
#scope = Request
#answer1 = 5 => 172.20.135.4
#answer2 = 51 => 300
# DNS Filter Configuration
# ========================
#
# You can trigger rules in pfdns on a specific scope (registration, isolation)
#
# Make a simple rule like this:
#
# [aerohive]
# filter = qname
# operator = is
# value = www.aerohive.com
#
# [1:aerohive]
# scope = registration
# answer = 30 IN A 10.0.0.1
# rcode = NOERROR
#
# It means that when pfdns receives a DNS request for the DNS name www.aerohive.com,
# it will respond with the IP address 10.0.0.1.
#
# See http://search.cpan.org/~nlnetlabs/Net-DNS-0.74/lib/Net/DNS/RR.pm for more details.
#
#
#
#
# filter can be:
#
# qname
# qclass
# qtype
# peerhost
# query ( http://search.cpan.org/~nlnetlabs/Net-DNS-1.04/lib/Net/DNS/Packet.pm )
# conn.peerhost
# conn.sockport
# conn.sockhost
# conn.peerport
# time
# mac
#
# operator can be:
# is
# is_not
# match
# match_not
# defined
# not_defined
# regex
# date_is_before
# date_is_after
#
# value can be:
#
# - for qname the fqdn search (www.aerohive.com)
#
# - for qclass
# IN 1 the Internet
# CS 2 the CSNET class (Obsolete - used only for examples in some obsolete RFCs)
# CH 3 the CHAOS class
# HS 4 Hesiod [Dyer 87]
#
# - for qtype
# A 1 a host address
# NS 2 an authoritative name server
# CNAME 5 the canonical name for an alias
# SOA 6 marks the start of a zone of authority
# WKS 11 a well known service description
# PTR 12 a domain name pointer
# HINFO 13 host information
# MINFO 14 mailbox or mail list information
# MX 15 mail exchange
# TXT 16 text strings
#
# - for peerhost the ip addess of the client
#
# - for query the value in the representation of a Net::DNS::Packet packet
#
# - for conn
# ip or port
#
# The value of a time is specific and follow this logic:
# http://search.cpan.org/~pryan/Period-1.20/Period.pm
# For example, if you want to allow access from Monday to Friday, 9am to 11am and from 2pm to 4pm:
# wd {Mon Tue Wed Thu Fri} hr {9am-11am}, wd {Mon Tue Wed Thu Fri} hr {2pm-4am}
#
# answer is in the format of http://search.cpan.org/~nlnetlabs/Net-DNS-1.04/lib/Net/DNS/RR.pm
#
# rcode can be:
# NOERROR No Error
# FORMERR Format Error
# SERVFAIL Server Failure
# NXDOMAIN Non-Existent Domain
# NOTIMP Not Implemented
# REFUSED Query Refused
# YXDOMAIN Name Exists when it should not
# YXRRSET RR Set Exists when it should not
# NXRRSET RR Set that should exist does not
# NOTAUTH Server Not Authoritative for zone
# NOTAUTH Not Authorized
# NOTZONE Name not contained in zone
# BADVERS Bad OPT Version
# BADSIG TSIG Signature Failure
# BADKEY Key not recognized
# BADTIME Signature out of time window
# BADMODE Bad TKEY Mode
# BADNAME Duplicate key name
# BADALG Algorithm not supported
# BADTRUNC Bad Truncation
# RADIUS Filter Configuration
# ===========================
#
# You are able to rewrite the RADIUS response based on attributes values, by default the RADIUS filter
# response will be merged with the original RADIUS response. (to overwrite it, add merge_answer = no).
# Also by default the status of the answer will be RLM_MODULE_OK but this status can be overwritten by
# the status attribute.
# The status attribute can have the following values (See http://wiki.freeradius.org/modules/Rlm_perl for more details):
# RLM_MODULE_REJECT
# RLM_MODULE_FAIL
# RLM_MODULE_OK
# RLM_MODULE_HANDLED
# RLM_MODULE_INVALID
# RLM_MODULE_USERLOCK
# RLM_MODULE_NOTFOUND
# RLM_MODULE_NOOP
# RLM_MODULE_UPDATED
# RLM_MODULE_NUMCODES
#
# You can use scopes in the RADIUS filter:
# returnRadiusAccessAccept is when you return the answer for a device access
# returnAuthorizeRead is when you return the answer for the switch read login access
# returnAuthorizeWrite is when you return the answer for the switch write login access
# returnAuthorizeVoip is when you return the answer for VoIP
#
# Specific scopes just to use RADIUS filter to change the logic of FreeRADIUS on the fly
#
# packetfence.authorize call the RADIUS filter in the packetfence authorize section
# packetfence.authenticate call the RADIUS filter in the packetfence authenticate section
# packetfence.pre-proxy call the RADIUS filter in the packetfence pre-proxy section
# packetfence.post-proxy call the RADIUS filter in the packetfence post-proxy section
# packetfence-tunnel.authorize call the RADIUS filter in the packetfence-tunnel authorize section
# packetfence.preacct call the RADIUS filter in the packetfence preacct section
# packetfence.accounting call the radius filter in the packetfence accounting section
# Make a simple rule like this:
#
#[macauth]
#filter = connection_type
#operator = is
#value = Ethernet-NoEAP
#
#[mac]
#filter = mac
#operator = is
#value = 00:11:22:33:44:55
#
#This rule will return the VLAN ID 42 for this specific MAC address
#
#[1:macauth&mac]
#scope = returnRadiusAccessAccept
#merge_answer = no
#answer1 = Tunnel-Medium-Type => 6
#answer2 = Tunnel-Type => 13
#answer3 = Tunnel-Private-Group-ID => 42
#
# This rule will return Access-Accept if there is no security_event
#
#[security_event]
#filter = security_event
#operator = defined
#
#[2:macauth&!security_event]
#scope = returnRadiusAccessAccept
#
# Advanced rule:
#
# This rule will return the VLAN ID associated to the user role and Cisco-AVPair where the attributes
# has been evaluated.
# merge_answer mean to not merge the original answer with RADIUS filter answer.
#[3:macauth&!security_event]
#scope = returnRadiusAccessAccept
#merge_answer = no
#answer1 = Tunnel-Medium-Type => 6
#answer2 = Tunnel-Type => 13
#answer3 = Tunnel-Private-Group-ID => $vlan
#answer4 = Cisco-AVPair => url-redirect-acl=$user_role;url-redirect=${switch._portalURL}/cep$session_id
#
# All the answer in the rule is computed by A3 so you can set static and dynamic values
# Let say you defined this answer and the $user_role value is set to default:
#
#answer1 = Tunnel-Medium-Type => 6
#answer2 = Tunnel-Type => 13
#answer3 = Tunnel-Private-Group-ID => ${switch._vlans.$user_role}
#answer4 = Cisco-AVPair => url-redirect-acl=$user_role;url-redirect=${switch._portalURL}/cep$session_id
#
# A3 will first evaluate simple variables like $user_role to default then it will evaluate
# ${switch._vlans.default} to 1 (see switch hash above).
#
#'node_info => {
# 'autoreg' => 'no',
# ....
#},
#'switch' => {
# '_vlans' => {
# 'inline' => '6',
# 'isolation' => '2',
# 'normal' => '1',
# 'default' => '1',
# 'registration' => '3',
# 'voice' => '5',
# 'macDetection' => '4',
# },
# '_portalURL' => 'http://192.168.1.2',
# ....
#},
#'wasInline' => 0,
#...
#
# Then A3 will evaluate the answer4 to Cisco-AVPair => url-redirect-acl=default;url-redirect=http://192.168.1.2/cepab23bc
#
# You can also define a range of int values and it will return a random number in this range:
#
# answer5 = Session-Timeout => 200..300,500..700
#
# will return a RADIUS attribute Session-Timeout with a value between 200 and 300 or between 500 and 700
#
#### Fingerbank example ####
#
# There are two ways to detect if the device is an Android phone, either by looking at the hierarchy of device ID or looking at the hierarchy of device names
# Although using device names is more intuitive, they are subject to (very rare) changes, so using the ID is recommended.
#
# This would then give us the following condition (note the use of includes) :
#[android_by_id]
#filter = fingerbank_info.device_hierarchy_ids
#operator = includes
#value = 202
#
# Same example using the name:
#[android_by_name]
#filter = fingerbank_info.device_hierarchy_names
#operator = includes
#value = Generic Android
#
# Next, let's add filtering on the Android operating system version using:
# (CAUTION: the version is not always available, when not present, this condition will return false)
#[version_4_plus]
#filter = fingerbank_info.version
#operator = greater_equals
#value = 4
#
# We could also want to validate that the device score is high enough through the following condition:
#[minimum_score]
#filter = fingerbank_info.score
#operator = greater_equals
#value = 30
#
# The above will ensure that the score is higher than 30 (included) which is the level at which Fingerbank uses information that isn't easily spoofable for its decision.
#
# We could now create a filter that sets the Session-Timeout to 5 minutes for all Android phones versions 4 and above that have a score of at least 30
#
#[1:android_by_id&version_4_plus&minimum_score]
#scope = returnRadiusAccessAccept
#merge_answer = yes
#answer1 = Session-Timeout => 300
#
#
#### authorize example ####
#
# There is some cases where you want to override the radius flow, like changing the value of Proxy-To-Realm to force the request to be sent to a specific Realm bases on the username.
#
#[acme]
#filter = radius_request.User-Name
#operator = regex
#value = ^bobacme.*
#
#[1:acme]
#scope=packetfence.authorize
#merge_answer = yes
#answer1 = control:Proxy-To-Realm => ACME
#
#### preacct example ####
#
# There is some cases where you want to override the radius flow, like changing the value of Proxy-To-Realm to force the request to be sent to a specific Realm bases on the username (for accounting).
#
#[acme]
#filter = radius_request.User-Name
#operator = regex
#value = ^bobacme.*
#
#[1:acme]
#scope=packetfence.preacct
#merge_answer = yes
#answer1 = control:Proxy-To-Realm => ACME
#
#### pre-proxy example ####
#
# There is some cases where you want to modify the radius request before sending it to a remote radius server.
# In this example we will rewrite the username based on the NAS-Identifier value.
#
#[Building1]
#filter = radius_request.NAS-Identifier
#operator = is
#value = Building1
#
#[1:Building1]
#scope=packetfence.pre-proxy
#merge_answer = yes
#answer1 = proxy-request:User-Name => Building1!${radius_request.User-Name}
#
#### post-proxy example ####
#
# In this example we will add the vlan 33 for all the answers of the remote radius server
#
#[all]
#filter = mac
#operator = regex
#value = .*
#
#[1:all]
#scope=packetfence.post-proxy
#merge_answer=yes
#answer1 = reply:Tunnel-Private-Group-Id => 33
#answer2 = reply:Tunnel-Type => 13
#answer3 = reply:Tunnel-Medium-Type => 6
#
#
#
# filter can be for the scope returnRadiusAccessAccept:
# node_info.autoreg
# node_info.status
# node_info.bypass_vlan
# node_info.bandwidth_balance
# node_info.regdate
# node_info.bypass_role
# node_info.device_class
# node_info.device_type
# node_info.device_version
# node_info.device_score
# node_info.pid
# node_info.machine_account
# node_info.category
# node_info.mac
# node_info.last_arp
# node_info.lastskip
# node_info.last_dhcp
# node_info.user_agent
# node_info.computername
# node_info.dhcp_fingerprint
# node_info.detect_date
# node_info.voip
# node_info.notes
# node_info.time_balance
# node_info.sessionid
# node_info.dhcp_vendor
# node_info.unregdate
# fingerbank_info.device_fq
# fingerbank_info.device_hierarchy_names
# fingerbank_info.device_hierarchy_ids
# fingerbank_info.score
# fingerbank_info.version
# fingerbank_info.mobile
# switch._switchIp
# switch._ip
# switch._portalURL
# switch._switchMac
# switch._ip
# ifIndex
# mac
# connection_type
# username
# ssid
# vlan
# wasInline
# user_role
# radius_request
# security_event
# time
#
# filter can be for the scopes returnAuthorizeRead and returnAuthorizeWrite
# switch._switchIp
# switch._ip
# switch._portalURL
# switch._switchMac
# switch._ip
# realm
# user_name
# stripped_user_name
# radius_request
# source_ip
#
# operator can be:
# is
# is_not
# match
# match_not
# defined
# date_is_before
# date_is_after
#
# attribute can be:
#
# - for connection_type
# Wireless-802.11-EAP
# Wireless-802.11-NoEAP
# Ethernet-EAP
# Ethernet-NoEAP
# SNMP-Traps
# Inline
# Ethernet-NoEAP
#
#
# - for the radius_request
# All the attributes you can have in the RADIUS request (run FreeRADIUS in debug mode to see these attributes)
#
#
# The value of a time is specific and follow this logic:
# http://search.cpan.org/~pryan/Period-1.20/Period.pm
# For example, if you want to test the current date for Monday to Friday, 9am to 11am and for 2pm to 4pm:
# [timeofday]
# filter = time
# operator = is
# value = wd {Mon Tue Wed Thu Fri} hr {9am-11am}, wd {Mon Tue Wed Thu Fri} hr {2pm-4am}
# Device Filter Configuration
# ===========================
#
# Scopes
# ------
# It is possible to trigger rules / actions within the following specific connection flow scopes
# - radius_authorize: Used when A3 receive a RADIUS request
# - external_portal: Used when an endpoint hit the captive portal for web authentication
#
#
# A "Device Filter" configuration is mainly constituted of two (2) parts; rules(s)/condition(s) and action(s)
# Some working examples covering useful use cases can be found at the bottom of this file
#
#
#
# Rule(s)/Condition(s)
# --------------------
# Structure example of a rule/condition
# [NAMEOFRULE]
# filter = FILTER
# operator = OPERATOR
# value = VALUE
#
###############################
# For the radius_authorize scope, the filter can be:
# node_info.autoreg
# node_info.status
# node_info.bypass_vlan
# node_info.bandwidth_balance
# node_info.regdate
# node_info.bypass_role
# node_info.device_class
# node_info.device_type
# node_info.device_version
# node_info.device_score
# node_info.pid
# node_info.machine_account
# node_info.category
# node_info.mac
# node_info.last_arp
# node_info.lastskip
# node_info.last_dhcp
# node_info.user_agent
# node_info.computername
# node_info.dhcp_fingerprint
# node_info.detect_date
# node_info.voip
# node_info.notes
# node_info.time_balance
# node_info.sessionid
# node_info.dhcp_vendor
# node_info.unregdate
# fingerbank_info.device_fq
# fingerbank_info.device_hierarchy_names
# fingerbank_info.device_hierarchy_ids
# fingerbank_info.score
# fingerbank_info.version
# fingerbank_info.mobile
# switch._switchIp
# switch._ip
# switch._portalURL
# switch._switchMac
# switch._ip
# ifIndex
# mac
# connection_type
# user_name
# ssid
# time
# owner.pid
# owner.firstname
# owner.lastname
# owner.email
# owner.telephone
# owner.company
# owner.address
# owner.notes
# owner.sponsor
# owner.anniversary
# owner.birthday
# owner.gender
# owner.lang
# owner.nickname
# owner.cell_phone
# owner.work_phone
# owner.title
# owner.building_number
# owner.apartment_number
# owner.room_number
# owner.custom_field_1
# owner.custom_field_2
# owner.custom_field_3
# owner.custom_field_4
# owner.custom_field_5
# owner.custom_field_6
# owner.custom_field_7
# owner.custom_field_8
# owner.custom_field_9
# owner.portal
# owner.source
# owner.nodes
# owner.password
# owner.valid_from
# owner.expiration
# owner.access_duration
# owner.access_level
# owner.can_sponsor
# owner.unregdate
# owner.category
# radius_request
# params
#
# Operator can be:
# is
# is_not
# match
# match_not
# defined
# not_defined
# regex
# date_is_before
# date_is_after
#
# Attribute can be:
# - for connection_type
# Wireless-802.11-EAP
# Wireless-802.11-NoEAP
# Ethernet-EAP
# Ethernet-NoEAP
# SNMP-Traps
# Inline
# Ethernet-NoEAP
# - for the radius_request
# All the attributes you can have in the RADIUS request (run FreeRADIUS in debug mode to see these attributes)
#
# - for the params
# It correspond of the attributes in the uri when the device hit the portal
#
###############################
# For the instantiate_module scope, the filter can be:
# radius_request (when used in the context of a RADIUS request)
# locationlog (when used outside of the context of a RADIUS request)
#
# Attribute can be:
# - for the radius_request
# All the attributes you can have in the RADIUS request (run FreeRADIUS in debug mode to see these attributes)
# - for the locationlog
# id
# tenant_id
# mac
# switch
# port
# vlan
# role
# connection_type
# connection_sub_type
# dot1x_username
# ssid
# start_time
# end_time
# switch_ip
# switch_mac
# stripped_user_name
# realm
# session_id
# ifDesc
#
###############################
# Actions
# -------
# Structure example of an action
# [NAMEOFTHEACTION:RULE1&RULE2&RULE3]
# scope = SCOPE
# param1 = SWITCH_PARAMETER => VALUE
# param2 = SWITCH_PARAMETER => VALUE
# paramx = SWITCH_PARAMETER => VALUE
# switch = SWITCH_MODULE
#
# Scope can be:
# - see beginning of this file for possible scope. They are usually extensions points of endpoint connection flow
#
#
# Param(x) can be:
# - any device configuration parameter to override (Only available for radius_authorize scope)
#
# Switch can be:
# - any switch module
#
# -------------------------
#
#
# EXAMPLES
# --------
# - If the ssid is test then override ExternalPortalEnforcement and VlanMap value
#
#[SSID]
#filter = ssid
#operator = is
#value = Test
#
#[1:SSID]
#scope = radius_authorize
#param1 = ExternalPortalEnforcement => N
#param2 = VlanMap => Y
#
#[status]
#filter = node_info.status
#operator = is
#value = reg
#
#[2:!SSID&status]
#scope = radius_authorize
#param1 = ExternalPortalEnforcement => N
#
# - If the device hit the portal with theses parameters in the uri then use the Fortinet::FortiGate switch module
#
#[login]
#filter = params.login
#operator = defined
#
#[post]
#filter = params.post
#operator = defined
#
#[magic]
#filter = params.magic
#operator = defined
#
#[usermac]
#filter = params.usermac
#operator = defined
#
#[apmac]
#filter = params.apmac
#operator = defined
#
#[apip]
#filter = params.apip
#operator = defined
#
#[userip]
#filter = params.userip
#operator = defined
#
#[1:login&post&magic&usermac&apmac&apip&userip]
#scope = external_portal
#switch = Fortinet::FortiGate
#
# - If the device is authenticating on a wireless connection, then use the Cisco::WLC_5500 module
#
#[wireless_radius]
#filter = radius_request.NAS-Port-Type
#operator = is
#value = 19
#
#[wireless_locationlog]
#filter = locationlog.connection_type
#operator = regex
#value = ^Wireless
#
#[msmodule4wired:wireless_locationlog|wireless_radius]
#scope=instantiate_module
#switch = Cisco::WLC_5500
# VLAN Filter Configuration
# =========================
#
# Scopes
# ------
# It is possible to trigger rules / actions within the following specific connection flow scopes
# - RegistrationRole: Used when an endpoint is in an *UNREGISTERED* state
# - RegisteredRole: Used when an endpoint is in a *REGISTERED* state
# - IsolationRole: Used when a security event is open on an endpoint
# - InlineRole: Used when the endpoint is detected connecting from an inline VLAN
# - AutoRegister: Used to determine whether or not an endpoint should be autoregistered
# - NodeInfoForAutoReg: Used to specify endpoint parameters when autoregistering
# - IsPhone: (only available on RADIUS based switches)
#
#
# A "VLAN filter" configuration is mainly constituted of two (2) parts; rules(s)/condition(s) and action(s)
# Some working examples covering useful use cases can be found at the bottom of this file
#
#
# Rule(s)/Condition(s)
# --------------------
# Structure example of a rule/condition
# [NAMEOFRULE]
# filter = FILTER
# operator = OPERATOR
# value = VALUE
#
# Filter can be:
# node_info.autoreg
# node_info.status
# node_info.bypass_vlan
# node_info.bandwidth_balance
# node_info.regdate
# node_info.bypass_role
# node_info.device_class
# node_info.device_type
# node_info.device_version
# node_info.device_score
# node_info.pid
# node_info.machine_account
# node_info.category
# node_info.mac
# node_info.last_arp
# node_info.lastskip
# node_info.last_dhcp
# node_info.user_agent
# node_info.computername
# node_info.dhcp_fingerprint
# node_info.detect_date
# node_info.voip
# node_info.notes
# node_info.time_balance
# node_info.sessionid
# node_info.dhcp_vendor
# node_info.unregdate
# fingerbank_info.device_name
# fingerbank_info.device_fq
# fingerbank_info.device_hierarchy_names
# fingerbank_info.device_hierarchy_ids
# fingerbank_info.score
# fingerbank_info.version
# fingerbank_info.mobile
# switch._switchIp
# switch._ip
# switch._portalURL
# switch._switchMac
# switch._ip
# ifIndex
# mac
# connection_type
# user_name
# ssid
# time
# owner.pid
# owner.firstname
# owner.lastname
# owner.email
# owner.telephone
# owner.company
# owner.address
# owner.notes
# owner.sponsor
# owner.anniversary
# owner.birthday
# owner.gender
# owner.lang
# owner.nickname
# owner.cell_phone
# owner.work_phone
# owner.title
# owner.building_number
# owner.apartment_number
# owner.room_number
# owner.custom_field_1
# owner.custom_field_2
# owner.custom_field_3
# owner.custom_field_4
# owner.custom_field_5
# owner.custom_field_6
# owner.custom_field_7
# owner.custom_field_8
# owner.custom_field_9
# owner.portal
# owner.source
# owner.nodes
# owner.password
# owner.valid_from
# owner.expiration
# owner.access_duration
# owner.access_level
# owner.can_sponsor
# owner.unregdate
# owner.category
# radius_request.RADIUS_request_attributes (see below)
#
# For the radius_request filter, you can use all the attributes you can have
# in the RADIUS request (run FreeRADIUS in debug mode or take a look at a RADIUS Audit
# log entry to see these attributes)
#
# Operator can be:
# is
# is_not
# match
# match_not
# defined
# not_defined
# regex
# date_is_before
# date_is_after
# time
#
# Value can be:
# - for connection_type
# Wireless-802.11-EAP
# Wireless-802.11-NoEAP
# Ethernet-EAP
# Ethernet-NoEAP
# SNMP-Traps
# Inline
# Ethernet-NoEAP
# - for the radius_request
# All the attributes you can have in the RADIUS request (run FreeRADIUS in debug mode to see these attributes)
#
# Note: Time / Date based rule(s)/condition(s) values follows the following logic:
# http://search.cpan.org/~pryan/Period-1.20/Period.pm
# For example, if you want to allow access from Monday to Friday, 9am to 11am and from 2pm to 4pm:
# wd {Mon Tue Wed Thu Fri} hr {9am-11am}, wd {Mon Tue Wed Thu Fri} hr {2pm-4am}
#
#
# Actions
# -------
# Structure example of an action
# [NAMEOFTHEACTION:RULE1&RULE2&RULE3]
# scope = SCOPE
# role = ROLE
# action = ACTION
# action_param = ACTION PARAMETERS
#
# Make sure to note the followings when defining an action:
# - Actions are triggered on a first hit match, based on the order in the 'vlan_filters.conf' file
# - Action names must be unique
# - Action definitions (what's inside []) contains the unique name, ':' delimiter, and some valid rule(s)/condition(s) names appended using boolean operators
#
# Scope can be:
# - see beginning of this file for possible scope. They are usually extensions points of endpoint connection flow
#
# Role can be:
# - any existing configured PacketFence user role (Configuration tab, "Roles" menu item under the "Users" menu section)
#
# Action can be:
# deregister_node (require param => mac)
# register_node (require param => mac pid)
# modify_node (require param => mac)
# trigger_security_event (require param => mac tid type)
#
# Action parameter can be:
# - The require param and optional attributes like (for action = modify_node):
# action_param = mac = $mac, notes = $radius_request->{'Called-Station-Id'}
#
#
# -------------------------
#
#
# EXAMPLES
# --------
#
# - When A3 tries to get the normal VLAN for the node and if the category of the node is
# the default one, we return the role "nointernet" (which you will have configured in the device configuration).
# [category]
# filter = node_info.category
# operator = is
# value = default
#
# [1:category]
# scope = RegisteredRole
# role = nointernet
#
#
# - When A3 tries to get the normal VLAN for the node and if the category of the node is
# the default one and the ssid is OpenWrt-SECURE and the time is between 11am and 2pm from Monday to Friday,
# we return the role "nointernet" (which you will have configured in the device configuration).
# [2]
# filter = node_info.category
# operator = match
# value = default
#
# [3]
# filter = ssid
# operator = is
# value = OpenWrt-SECURE
#
# [4]
# filter = time
# operator = is
# value = wd {Mon Tue Wed Thu Fri} hr {11am-2pm}
#
# [2:2&3&4]
# scope = RegisteredRole
# role = nointernet
#
#
# - This will autoregister any device beginning by a set of known Avaya MAC address OUI and consider it as phone
# [avaya_phones]
# filter = node_info.mac
# operator = regex
# value = ^(00:04:0d|84:83:71|00:07:3b|00:09:6e|00:0d:18|00:0d:28|00:1b:4f|24:d9:21|2c:f4:c5|34:75:c7|3c:b1:5b|70:38:ee|b4:b0:17).*
#
# [autoreg:avaya_phones]
# scope = IsPhone
# role = default
#
#
# - This will autoregister devices if the connection is Ethernet-EAP
# [etherneteap]
# filter = connection_type
# operator = is
# value = Ethernet-EAP
#
# [reg:etherneteap]
# scope = AutoRegister
# role = default
#
#
# - This will autoregister machine auth on ethernet EAP or EAP-TLS connection and refuse
# user auth if there wasn't machine auth before (you must add a role machine and a role
# REJECT (value: -1) in A3's role and device configuration.
#[EthernetEAP]
#filter = connection_type
#operator = is
#value = Ethernet-EAP
#
#[machineauth]
#filter = user_name
#operator = match
#value = host/
#
#[machine]
#filter = node_info.machine_account
#operator = defined
#
#[EAPTLS]
#filter = radius_request.EAP-Type
#operator = is
#value = EAP-TLS
#
#
#### Machine Auth Autoregister ####
#
#[1:EthernetEAP&machineauth]
#scope = AutoRegister
#role = machine
#
#[2:EthernetEAP&machineauth]
#scope = NodeInfoForAutoReg
#role = machine
#
#
#### Refuse User Auth without machine Auth ####
#
#[3:EthernetEAP&!machine&!EAPTLS]
#scope = RegisteredRole
#role = REJECT
#
#[4:EthernetEAP&!machine]
#scope = RegistrationRole
#role = REJECT
#
#
#### EAP TLS Autoregister ####
#
#[5:EthernetEAP&EAPTLS]
#scope = AutoRegister
#role = machine
#
#[6:EthernetEAP&EAPTLS]
#scope = NodeInfoForAutoReg
#role = machine
#
#
#### Unregister an auto-registered 802.1X device falling back to MAB ####
#
# The conditions below are already defined in vlan_filters.conf.defaults
# To activate this filter you only need to add this section
#[pf_deauth_from_wired_secure:pf_wired_mac_auth&pf_node_wired_eap&pf_node_reg&pf_node_auto_reg]
#scope = RegisteredRole
#action = modify_node
#action_param = mac = $mac, status = unreg, autoreg = no
#role = registration
#
# Web API call:
#
# [3:3]
# scope = RegisteredRole
# action = trigger_security_event
# action_param = mac = $mac, tid = 1100010, type = INTERNAL
#
# It means that if the SSID is OpenWrt-SECURE then we send a API call to the function trigger_security_event and
# trigger the security_event 1100010
# action_param is computed by PacketFence so you can set static and dynamic values
#
#
#### Fingerbank example ####
##
## There are two ways to detect if the device is an Android phone, either by looking if the device is linked to the "Android OS" device by using its ID (33453) or by its name (Android OS)
## Although using device names is more intuitive, they are subject to (very rare) changes, so using the ID is recommended
##
## This would then give us the following condition (note the use of fingerbank::device_is_a) :
#[android_by_id]
#filter = fingerbank_info.device_name
#operator = fingerbank::device_is_a
#value = 33483
#
## Same example using the name:
#[android_by_name]
#filter = fingerbank_info.device_name
#operator = fingerbank::device_is_a
#value = Android OS
#
## Next, lets add filtering on the Android operating system version using:
## (CAUTION: the version is not always available, when not present, this condition will return false)
#[version_4_plus]
#filter = fingerbank_info.version
#operator = greater_equals
#value = 4
#
## We could also want to validate that the device score is high enough through the following condition:
#[minimum_score]
#filter = fingerbank_info.score
#operator = greater_equals
#value = 30
## The above will ensure that the score is higher than 30 (included) which is the level at which Fingerbank uses information that isn't easily spoofable for its decision.
##
## We could now create a filter that auto registers Android phones versions 4 and above that have a score of at least 30
##
#[autoreg_android:android_by_name&version_4_plus&minimum_score]
#scope = AutoRegister
#role = default
#
#[info_for_autoreg_android:android_by_name&version_4_plus&minimum_score]
#scope = NodeInfoForAutoReg
#role = default
Copyright © 2021 Extreme Networks. All rights reserved. Published April 2021.