Hey Chris,

Le 03/04/2025 à 10:50, Chris Vogel via PacketFence-users a écrit :

Hey Mathieu,

Am 31.03.25 um 22:59 schrieb Mathieu Valois via PacketFence-users:
Those locations have a unique VLAN, called guest, of ID 100. On each
site, the DHCP server for that VLAN is a Windows Server with a given
subnet for each (10.1.0.0/24, 10.1.1.0/24 and so on). Packetfence
machines are offsite and do not have a network interface on those VLANs.
Packets from those VLANs are routed (layer 3) to the Packetfence for
captive portal access.

If I'm understanding your description correctly the only way to stop an unregistered client from using whatever ressources outside VLAN 100 would be to restrict it by a firewall.
Yes. In fact, the Unifi AP blocks traffic until Packetfence tells it to allow the supplicant after having filled the captive portal.

This restriction wouldn't be very safe, because many clients can change their ip/mac.

Is that the way you'll want to restrict unregistered clients?
Yes, we are aware of it.

On packetfence a way to distinguish between a registered and an unregistered client might be the use of a PSK for unregistered clients and giving out a dynamic pre-shared key (DPSK) to clients already registered.

This way you could map between PSK and MAC to manage a single client. The MAC (and maybe the IP known from the windows dhcp) would be the soft attributes you could base firewall rules on.
Interesting. So Packetfence is capable of distinguishing the connection from a PSK and a DPSK?

I don't know about the situation with Unifi and the use of DPSK, so that might already be a show stopper.
I know we can set DPSK in Unifi to attribute different VLAN for the same SSID depending on which key the supplicant provides. Is it what you're talking about?

Chris

Many thanks for your time!

Mat

téïcée Mathieu Valois

Ingénieur sécurité, systèmes et réseaux

Bureau Caen: Quartier Kœnig - 153, rue Géraldine MOCK - 14760 Bretteville-sur-Odon
Bureau Vitré: Zone de la baratière - 12, route de Domalain - 35500 Vitré
02 72 34 13 20 | www.teicee.com

téïcée sur facebook téïcée sur linkedin 
 

 

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to