Hey Ferdana,
I believe registration networks work like this:
If a node does have the status unregistered it is put into the
registration vlan with vlan enforcement enabled on connect .
→ switch (depending on configuration) did try to authenticate the node
via radius by MAB (mac authentication bypass, authentication based on
the MAC only) and/or 802.1x.
On the registration vlan packetfence provides DHCP and DNS for nodes to
get an IP address and to get redirected to a portal if enabled.
→ still the node could send a 802.1x authentication and be switched into
a different vlan.
Once the node is authenticated and listed as registered in the node tab
PF might send a CoA (Change of Authorization) to the switch and signal
it to change the vlan of the port the node is connected to. Thereby
putting it into a different network.
At the moment the node is put into a network different from registration
or isolation there'll be no more DNS or DHCP service by PF (and I'd be
happy to be corrected here, because I tried to get DHCP from PF on an
'other' interface and failed).
Inside that new vlan a router other than PF needs to care about DNS and
DHCP for the clients connected. PF can be configured to listen to the
network to follow the MACs connected and update the node list (e.g. to
detect an unexpected MAC and issue and alert).
The big picture - as I understood it (I'm happy to be corrected) is:
Each node is registered or not. Not being registered signifies
registration network.
Each node gets a role applied to that defines how it is allowed to
access the network once it is registered.
An unregistered node can still be in a role, but it will be put into the
regitration vlan (e.g. after the registration period timed out).
A role defines which authorization a node has on the network - NOT how
that is achieved. It could be done through access lists or an inline
firewall or a vlan enforcement or some combination.
Maybe I misunderstood your question and all of this has been clear to
you already. Then I'd say you'd need to provide some more details about
your question. I hope this'll help you.
I hope all of this is correct and would kindly ask to correct my
mistakes so we all can learn from them.
Chris
--
Packetfence Matrix Room
https://matrix.to/#/%23packetfence:matrix.org
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
