Hey Chris,
Le 03/04/2025 à 10:50, Chris Vogel via PacketFence-users a écrit :
Yes. In fact, the Unifi AP blocks traffic until Packetfence tells it to allow the supplicant after having filled the captive portal.
Hey Mathieu,
Am 31.03.25 um 22:59 schrieb Mathieu Valois via PacketFence-users:
Those locations have a unique VLAN, called guest, of ID 100. On each
site, the DHCP server for that VLAN is a Windows Server with a given
subnet for each (10.1.0.0/24, 10.1.1.0/24 and so on). Packetfence
machines are offsite and do not have a network interface on those VLANs.
Packets from those VLANs are routed (layer 3) to the Packetfence for
captive portal access.
If I'm understanding your description correctly the only way to stop an unregistered client from using whatever ressources outside VLAN 100 would be to restrict it by a firewall.
Yes, we are aware of it.
This restriction wouldn't be very safe, because many clients can change their ip/mac.
Is that the way you'll want to restrict unregistered clients?
Interesting. So Packetfence is capable of distinguishing the connection from a PSK and a DPSK?
On packetfence a way to distinguish between a registered and an unregistered client might be the use of a PSK for unregistered clients and giving out a dynamic pre-shared key (DPSK) to clients already registered.
This way you could map between PSK and MAC to manage a single client. The MAC (and maybe the IP known from the windows dhcp) would be the soft attributes you could base firewall rules on.
I know we can set DPSK in Unifi to attribute different VLAN for the same SSID depending on which key the supplicant provides. Is it what you're talking about?
I don't know about the situation with Unifi and the use of DPSK, so that might already be a show stopper.
Chris
Many thanks for your time!
Mat
| Mathieu Valois Ingénieur sécurité, systèmes et réseaux Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 Bretteville-sur-Odon |
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
