Hey Mathieu,
Am 31.03.25 um 22:59 schrieb Mathieu Valois via PacketFence-users:
Those locations have a unique VLAN, called guest, of ID 100. On each
site, the DHCP server for that VLAN is a Windows Server with a given
subnet for each (10.1.0.0/24, 10.1.1.0/24 and so on). Packetfence
machines are offsite and do not have a network interface on those VLANs.
Packets from those VLANs are routed (layer 3) to the Packetfence for
captive portal access.
If I'm understanding your description correctly the only way to stop an
unregistered client from using whatever ressources outside VLAN 100
would be to restrict it by a firewall.
This restriction wouldn't be very safe, because many clients can change
their ip/mac.
Is that the way you'll want to restrict unregistered clients?
On packetfence a way to distinguish between a registered and an
unregistered client might be the use of a PSK for unregistered clients
and giving out a dynamic pre-shared key (DPSK) to clients already
registered.
This way you could map between PSK and MAC to manage a single client.
The MAC (and maybe the IP known from the windows dhcp) would be the soft
attributes you could base firewall rules on.
I don't know about the situation with Unifi and the use of DPSK, so that
might already be a show stopper.
Chris
--
Packetfence Matrix Room
https://matrix.to/#/%23packetfence:matrix.org
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
