Hello All, First, my user environment consists mostly of Linux, windows users and occasionally Mac. Network hardware consists of Cisco 2960 switches for LAN and Unifi AP AC Pro for wireless connectivity. I need to have an authentication setup such that users log in with their LDAP credentials and users are assigned VLANS based on their *memberOf* LDAP attribute.
Here's what I have done so far, 1. Installed PF 13.2 with two interfaces, 1 separate for management and another trunk with all VLAN interfaces added. 2. Configured LDAP Authentication source 3. Configured a connection Profile using the LDAP auth source. 4. Added Unifi APs individually to PF via MAC Address. (Initially, I tried adding the controller IP method but that didn't work with some weird errors about not being able to instantiate Switch) 5. Configured Unifi Controller and Wifi with guest profile and external Captive portal pointing to PF as instructed in the documentation. 6. Enabled the captive portal and respective services on the trunk interface. All to this point everything works great. As soon as a user connects to the open SSID they get redirected to the captive portal on PF and authenticate successfully with LDAP. This works great no problem. I intend to keep that and later change the auth source for guest Portal. Now I am trying to do vlan assignment. I followed the PF documentation for Ubiquity to set up the controller with the Raduis profile SSID and all. However, things are not working as expected. I am a bit confused here. 1. I have created interfaces, registration VLAN - 20 and Isolation VLAN - 30 on the trunk interface. 2. I also have added 3 other production VLANs where I manage DNS and DHCP 3. the open SSID on unifi controller cannot be set to the Registration VLAN 20 when Radius is enabled. So there is no way to communicate with PF via the Registration VLAN hence users cannot get IPs from PF on the open SSID and therefore cannot log in. I need advice on how to get this working. Do I have to make the registration VLAN the native or default vlan on the trunk and configure the guest captive portal on a different vlan which i can assign in the unifi controller? Also, I have a problem where DNS queries on each vlan/subnet points to the PF interface outside that subnet. eg pf.example.com - 192.168.0.1/24 on registration vlan, and PF on captive portal vlan 40 the IP is 192.168.1.1/24 but DNS query from captive portal interface gives registration vlan IP of PF. I would prefer that queries from each vlan would provide the respective PF interface on that vlan, Any help is appreciated. Warm regards, Rexford.
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
