Hi Nicholas,
I do agree with you that the flow should be that one.
So far I’ve noticed that these points works perfectly:
* User connects to SSID and is sent to registration VLAN if their node
isn't pre-registered. If the node has been registered, the go immediately to
the VLAN associated with their role and this flow stops.
* If they're sent to the registation VLAN:
* Packetfence provides DHCP and DNS for registration VLAN.
* DNS queries from the client are leveraged to redirect them to
packetfence for captive portal. Most modern browsers and OSs should do this
automatically.
After these one though I get to the login page, I log in successfully but I get
the error: Unable to detect network connectivity try restarting your web
browser or opening a new tab to see if your access has been successfully
enabled.
After this I’m stuck, the client is not redirected to the new VLAN and I keep
the old IP Address.
PacketFence is deployed in the following way:
2 NICs, one NIC operates as a Management interface with Radius and DHCP Daemons
listening here. The 2nd NIC operates as a Registration Interface, does DNS and
DHCP.
This is deployed in Hyper-V so this is a forced mode, I cannot use a single
interface and build on top VLANs since Hyper-V doesn’t support multiple tagging
on this.
Also another question: the Registration VLAN, should PacketFence handle the
routing? Because right now there is a Cisco 4500 in VSS that is doing the
routing.
What I’ve also noticed is that the second NIC it is not reachable from outside
the subnet but honestly I think this should be how it works since it is
supposed to be in an Isolated VLAN.
Cannot wrap my head around what I’m missing/what I do wrong.
Ivan
From: Nicholas Pier [mailto:09np...@gmail.com]
Sent: domenica 9 giugno 2019 03:06
To: packetfence-users@lists.sourceforge.net
Cc: Ivan Saliu <ivan.sa...@kikocosmetics.com>
Subject: Re: [PacketFence-users] Issues with PacketFence Captive Portal
configuration
Hi Ivan,
I think this is mostly likely a configuration issue. It sounds like you may be
expecting the controller to receive information about the captive portal. This
may be possible, but it's not how I've deployed packetfence in the past.
Instead, Radius and DNS do most of the work I've only worked with 7.x
controller code and don't know what's changed since... however the typical
workflow I've experienced is as follows:
* User connects to SSID and is sent to registration VLAN if their node
isn't pre-registered. If the node has been registered, the go immediately to
the VLAN associated with their role and this flow stops.
* If they're sent to the registation VLAN:
* Packetfence provides DHCP and DNS for registration VLAN.
* DNS queries from the client are leveraged to redirect them to
packetfence for captive portal. Most modern browsers and OSs should do this
automatically.
* If the user successfully authenticates, packetfence sends a radius
message back to the controller to change their VLAN and place them on a
different subnet.
* Client obtains a new lease and can access the network.
I don't know much about your setup, but if its not routed, and clients are
placed on the same vlan as packetfence (not a routed deployment). Are you
leveraging packetfence for DHCP and DNS on the registration VLAN?
Best wishes,
Nicholas P. Pier
Network & Virtualization Engineer
CCNP RS, PCSNSE7, VCIX6-DCV, VCIX6-NV
On Sat, Jun 8, 2019 at 7:45 PM Ivan Saliu via PacketFence-users
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
wrote:
Hello Guys,
I’m experiencing a lot of issues in configuring PacketFence’s Captive Portal
(Version 9.0.1) with Cisco’s WLC (5508, software version 8.1).
Basically I’ve tried to deploy the solution in two ways:
- The “Network Guide” one, where there is only 1 VLAN with ACLs on the
WLC to permit only traffic to DHCP/DNS servers and PacketFence Portal. The
issue here is the fact that the redirection does not work at all. The Radius
parameter with the URL redirection is not filled with data and so the WLC
doesn’t redirect at all the traffic. This is an issue because I do not like the
user experience, since being force to type an URL to log in and register the
device is not good.
- The second type of deployment I’ve tried to do is an interface in
Registration mode, on a dedicated VLAN managed entirely by PacketFence, trying
to use the VLAN change to grant internet access. In this case the Captive
Portal works fine, but once I log into it is not recognized internet access and
I get an error saying that internet access cannot be validated. If I try to
disconnect the client and reconnect it, the VLAN is changed properly and
everything works fine, but again this is not a good user experience and I
cannot put in a production environment something that doesn’t work properly.
This would also be my preferred solution since it grants the best approach to
security of course since I would be able to isolate the Registration VLAN and
then with Access-List prohibit access to corporate network once the client in
registered.
Do you have any idea on how to solve these issues? I do think it is most likely
a misconfiguration on PacketFence or maybe I’m trying to implement something
that it is not supported by Cisco with its WLC?!
Any help on this would be greatly appreciated,
Ivan
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
Clicca qui per segnalarlo come
spam.<http://esva.percassi.it/cgi-bin/learn-msg.cgi?id=C717F400D3.A41D3>
Clicca qui per metterlo in
blacklist<http://esva.percassi.it/cgi-bin/learn-msg.cgi?blacklist=1&id=C717F400D3.A41D3>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
