Hello again Francois,
The current config for our Aironet is attached. Thanks in advance for
taking the time to look at it.
Yes, please, if you would, send the Aironet configuration example.
The hardware limitations of the fat AP are understood ; we will have
separate 'service' vlans for each SSID.
I'd like to be a bit redundant here to clarify my understanding of the
terminology :
Our 'public' vlan (6) is unsecured by 802.1X (secured by captive
portal only) and will have vlan 102 as 'registration' and vlan 103 as
'isolation'. (that's vlan 102 backup 6)
Our 'secured' vlans (28 and 32) *are* secured by 802.1X ; will they
need 'registration' vlans to auto register themselves with
PacketFence ? Presumably they would be :
vlan 202 backup 28 (having vlan 203 as 'isolation' vlan)
vlan 302 backup 32 (having vlan 303 as 'isolation' vlan)
Can you point me to some documentation for auto registering them ?
Also, it's not clear to me, would they then validate directly against
freeRadius - or validate via PacketFence as part of the auto
registration process ?
Finally, sorry, I'm not certain what CLI is - can you, again, point me
to some documentation ?
Will test deauthentication using pfcmd_vlan this afternoon - thanks
for that.
Thanks again for the input.
Best,
Chris
On Tue 4.Jan'11 at 7:49:20 -0500, [email protected] wrote:
> Hi Chris,
>
> Can you send the configs of the Aironet? With those "Fat" access point,
> you cannot use the same VLAN on both the MAC Auth and the Secure SSID.
>
> This is an hardware limitation. Usually, you have two options :
> - Auto register devices that are authenticated using 802.1X. You will
> have only :
> vlan 6 in the Secure SSID section
> - Create another registration VLAN for the secure network. You will have :
> vlan 202 backup 6 in the Secure SSID section
>
> I have an Aironet configuration example if you want.
>
> Another thing you need to check is the wireless deauthentication. With
> the Aironets, we use CLI, so make sure the credentials are properly set in
> the switches.conf for that device. You can test it manually using the
> following:
> /usr/local/pf/bin/pfcmd_vlan -deauthentication -switch SWITCH_IP -mac MAC
> -verbose 4
>
> I hope this helps.
Hello Fran�ois,
This is the current, stripped down config for our test access point
(a Cisco Aironet 1252).
After the captive portal setup is working, we will add vlans 28 and 32 -
both EAP encrypted. These should have *nothing* to do with PacketFence
and will be validated by the access point directly against freeRadius.
According to the new PF instructiions for this AP, we can define new
isolation vlans for these vlans (28 & 32) once they are up and running.
Thanks again for the attention.
Best wishes,
Chris
-------------------------------------------------------
!
! Last configuration change at 11:13:55 A Tue Jan 4 2011 by root
! NVRAM config last updated at 20:37:20 A Mon Jan 3 2011 by root
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server nnn.nnn.n.nn auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
server nnn.nnn.n.nn auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local
aaa authorization network default group rad_eap
aaa accounting send stop-record authentication failure
aaa accounting session-duration ntp-adjusted
aaa accounting update newinfo periodic 15
aaa accounting network default start-stop group rad_eap
aaa accounting network acct_methods start-stop group rad_eap
!
aaa session-id common
clock timezone A 1
ip domain name enst.fr
ip name-server mmm.mmm.m.mm
ip name-server mmm.mmm.m.mm
!
!
ip ssh version 2
dot11 mbssid
dot11 vlan-name ADM vlan 27
dot11 vlan-name PORTAIL vlan 6
dot11 vlan-name isolation vlan 103
dot11 vlan-name registration vlan 102
!
dot11 ssid Test-PORTAIL
vlan 102 backup PORTAIL
authentication open mac-address mac_methods
accounting acct_methods
mbssid guest-mode
!
dot11 location isocc fr cc 33 ac 145
dot11 network-map
!
crypto pki trustpoint TP-self-signed-589392551
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-589392551
revocation-check none
rsakeypair TP-self-signed-589392551
!
!
username siav password 7 pswd-1
username root privilege 15 password 7 pswd-2
username readUser password 7 pswd-3
username writeUser privilege 15 password 7 pswd-4
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid Test-PORTAIL
!
channel width 40-below
station-role root access-point fallback shutdown
rts threshold 2312
no cdp enable
infrastructure-client
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.6
encapsulation dot1Q 6
no ip route-cache
no cdp enable
bridge-group 6
bridge-group 6 subscriber-loop-control
bridge-group 6 block-unknown-source
no bridge-group 6 source-learning
no bridge-group 6 unicast-flooding
bridge-group 6 spanning-disabled
!
interface Dot11Radio0.102
encapsulation dot1Q 102
no ip route-cache
no cdp enable
bridge-group 102
bridge-group 102 subscriber-loop-control
bridge-group 102 block-unknown-source
no bridge-group 102 source-learning
no bridge-group 102 unicast-flooding
bridge-group 102 spanning-disabled
!
interface Dot11Radio0.103
encapsulation dot1Q 103
no ip route-cache
no cdp enable
bridge-group 103
bridge-group 103 subscriber-loop-control
bridge-group 103 block-unknown-source
no bridge-group 103 source-learning
no bridge-group 103 unicast-flooding
bridge-group 103 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
ssid Test-PORTAIL
!
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.6
encapsulation dot1Q 6
no ip route-cache
no cdp enable
bridge-group 6
bridge-group 6 subscriber-loop-control
bridge-group 6 block-unknown-source
no bridge-group 6 source-learning
no bridge-group 6 unicast-flooding
bridge-group 6 spanning-disabled
!
interface Dot11Radio1.102
encapsulation dot1Q 102
no ip route-cache
no cdp enable
bridge-group 102
bridge-group 102 subscriber-loop-control
bridge-group 102 block-unknown-source
no bridge-group 102 source-learning
no bridge-group 102 unicast-flooding
bridge-group 102 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0.6
encapsulation dot1Q 6
no ip route-cache
no cdp enable
bridge-group 6
no bridge-group 6 source-learning
bridge-group 6 spanning-disabled
!
interface GigabitEthernet0.27
encapsulation dot1Q 27 native
no ip route-cache
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.102
encapsulation dot1Q 102
no ip route-cache
no cdp enable
bridge-group 102
no bridge-group 102 source-learning
bridge-group 102 spanning-disabled
!
interface GigabitEthernet0.103
encapsulation dot1Q 103
no ip route-cache
no cdp enable
bridge-group 103
no bridge-group 103 source-learning
bridge-group 103 spanning-disabled
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging qqq.qqq.q.qq
snmp-server group readGroup v1
snmp-server group writeGroup v1
snmp-server view dot11view ieee802dot11 included
snmp-server community pub_siav RO
snmp-server community portail RW
snmp-server user readUser readGroup v1
snmp-server user writeUser writeGroup v1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps deauthenticate
snmp-server enable traps aaa_server
snmp-server host nnn.nnn.n.nn pub_siav deauthenticate
no cdp run
radius-server attribute 32 include-in-access-req format %h
radius-server host nnn.nnn.n.nn auth-port 1812 acct-port 1813 key 7 pswd
5-really-long
radius-server retransmit 5
radius-server timeout 2
radius-server deadtime 10
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
sntp server ooo.ooo.oo.ooo
end
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
