Hi again Olivier, Have finally isolated the sequence of what is going on between PF and the WAP - it goes like this :
-- a user attempts to logon to the open SSID -- PF (via rlm_perl_packetfence) checks the MAC against its database and finds that the user is unregistered -- PF (rlm_perl_packetfence) then decides that the user is "an unregistered user on secure SSID" -- rlm_perl_packetfence then returns vlan '-1' That's where I need to ask why it does that instead of returning the registration vlan and what I can do about it. I would have thought that, the registran vlan having been defined, that it would have been the logical next step to retun (and therefore reset) it. So, given the above, how do I get it to switch to the reg vlan ? Thanks Olivier - a good weekend if I don't speak to you before then. Chris On Thu 21.Oct'10 at 17:48:44 +0200, cg wrote: > Hello Olivier, > > Thanks for the reply and the (essential) overview ; will take a look > at the mailing list archives for this. I went to mtn.inverse.ca, > didn't find the docs/ dir but grabbed what seemed to be an updated > copy of the admin guide. > > Our WAP is set up two 'regular' 802.1x vlans (28 & 32) which I'd like > to keep entirely separate from PF ; they should authenticate against > radius and either accept or kick out the user depending on the > validation. I also have a separate, unsecured vlan (5) which I'd like > PF to monitor (as it likes to) ; it's an unsecured vlan which PF > should deal with as usual - validating and registering users via > captive portal, etc. > > However, running radius in debug mode shows the PF > rlm_perl_packetfence module being called for *all* vlans and > legitimate normal users of those vlans (28 & 32) being kicked out as > invalid. That is, radius first accepts them then the > rlm_perl_packetfence module rejects them. I don't understand this as I > have checked the PF config (many times) and the non-PF vlans are > nowhere entered into the PF config. Likewise for the PF setup for > radius ; I've followed the recipes (both new and old) but > rlm_perl_packetfence seems to be being called for everything. > > By-the-way, PF should be *only* monitoring vlan 5, so I've entered '5' > into both the VLAN_GUEST and VLAN_NORMAL config vars in the module. It > won't allow me to leave VLAN_GUEST blank ... > > Thanks again for the feedback. I realise that the above is a vague > description - hoping that you might be able to cast an educated eye > towards it and spot something obvious ... > > Best wishes, > > Chris > > On Wed 20.Oct'10 at 11:41:41 -0400, Olivier Bilodeau wrote: > > Hi Chris, > > > > On 14/10/10 8:45 AM, cg wrote: > > > Hello List, > > > > > > Posting this in hopes that someone can clarify a configuration issue > > > I've been struggling with for the past two weeks. > > > > > > I have PacketFence working well with our wired switches - the captive > > > portal is presented, authentication is performed, vlans are changed > > > correctly, etc. I'm now working on the wireless side of things, with a > > > Cisco Air-AP1252AG (Cisco::Aironet_1250), set up according to the PF > > > docs (checked multiple times) but, seemingly, not sending the proper > > > traps to PF. We want a captive portal here, as well, for our 'open' > > > SSID. > > > > Wireless doesn't rely on traps, it relies on performing the > > authentication with FreeRADIUS (hosted on PacketFence) and having it > > return a VLAN value to the client. Then the WAP makes this client be in > > that VLAN. > > > > I think some aspects of the admin guide were updated lately, grab a copy > > of the latest guide (ODT open document format) from our code repository: > > mtn.inverse.ca look inside docs/ > > > > Remember: no traps and it is a completely different way of thinking than > > wired with port-security. Searching the mailing list archives will help > > you as well. > > > > Cheers! > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
