Hi there,
Currently PacketFence requests WLC to change to a new VLAN to show the captive
portal to a user.
A problem with that mechanism is that, depending on the supplicant, the host
may not request a new IP after the change and the connection will be dead.
One way to overcome this problem is to use the controller's redirect
functionality, and instead of moving to a new VLAN just apply a restrictive ACL
("roles?!).
How would it work (example)?
- User has a single VLAN on the controller, and sets up two ACL: captive and
normal.
--> Captive ACL allows only traffic to Packetfence server (does not have to be
on the same VLAN).
--> Normal ACL is the one allowing all trafffic
- On violation/registration PacketFence Radius will send the following Cisco
AVPairs:
$RAD_REPLY{'Cisco-AVPair'} = [
'url-redirect=http://<packetfence captive portal>/<args>',
'url-redirect-acl=captive',
];
- After the violation is resolved or the user is registered, PacketFence sends
reauth CoA
- The new Access-Accept message associates the normal ACL to the user:
Airespace-ACL-Name := "normal"
An added bonus is that PacketFence will no longer need to access any of the
VLANs directly, and there is no need to configure additional VLANs on the
controller.
This works wonderfully under WLC version 7.2.
Regards,
Ricardo Duarte
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-devel
