Hi Chris,
Yes, please, if you would, send the Aironet configuration example.
In attachment. The example config is for an Aironet 1200 series, but it
should give you a good idea how to configure yours.
I'd like to be a bit redundant here to clarify my understanding of the
terminology :
Our 'public' vlan (6) is unsecured by 802.1X (secured by captive
portal only) and will have vlan 102 as 'registration' and vlan 103 as
'isolation'. (that's vlan 102 backup 6)
Yes.
Our 'secured' vlans (28 and 32) *are* secured by 802.1X ; will they
need 'registration' vlans to auto register themselves with
PacketFence ? Presumably they would be :
vlan 202 backup 28 (having vlan 203 as 'isolation' vlan)
vlan 302 backup 32 (having vlan 303 as 'isolation' vlan)
If you plan to use 802.1X with auto-registration, you will NOT need any
other registration VLAN. Radius will take care of the user
authentication. Since the perl module runs in the post-auth section, we
consider that if the request is reaching the post-auth section, that
means the user is valid, and should be auto-registered. We consider the
captive portal a useless step when using 802.1X since the captive portal
login credentials are usually taken from the same LDAP :)
Can you point me to some documentation for auto registering them ?
Also, it's not clear to me, would they then validate directly against
freeRadius - or validate via PacketFence as part of the auto
registration process ?
You will find a code snippet in /usr/local/pf/lib/pf/vlan/custom.pm
Finally, sorry, I'm not certain what CLI is - can you, again, point me
to some documentation ?
This means using Telnet or SSH. Have a look in switches.conf :
cliTransport = Telnet
cliUser =
cliPwd =
cliEnablePwd =
I hope this helps.
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww37900\viewh19400\viewkind0
\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural
\f0\fs24 \cf0 version 12.3\
no service pad\
service timestamps debug datetime msec\
service timestamps log datetime msec\
service password-encryption\
!\
hostname InverseAP\
!\
no logging console\
enable secret blablablablabla\
!\
ip subnet-zero\
!\
!\
aaa new-model\
!\
!\
aaa group server radius rad_mac\
server n.n.n.n auth-port 1812 acct-port 1813\
!\
aaa group server radius rad_eap\
server n.n.n.n auth-port 1812 acct-port 1813\
!\
aaa authentication login eap_methods group rad_eap\
aaa authentication login mac_methods group rad_mac\
aaa session-id common\
dot11 mbssid\
dot11 vlan-name demo_guests vlan 205\
dot11 vlan-name demo_isolat vlan 203\
dot11 vlan-name demo_prod vlan 210\
dot11 vlan-name demo_regist vlan 202\
!\
dot11 ssid DemoPub\
vlan 202 backup 205 203\
authentication open mac-address mac_methods \
mbssid guest-mode\
! \
dot11 ssid DemoSec\
vlan 210\
authentication open eap eap_methods \
authentication key-management wpa\
mbssid guest-mode\
!\
!\
!\
username Cisco password blablablabla\
!\
bridge irb\
!\
!\
interface Dot11Radio0\
no ip address\
no ip route-cache\
!\
encryption vlan 210 mode ciphers aes-ccm \
!\
ssid DemoPub\
!\
ssid DemoSec\
!\
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0\
station-role root\
bridge-group 1\
bridge-group 1 block-unknown-source\
no bridge-group 1 source-learning\
no bridge-group 1 unicast-flooding\
bridge-group 1 spanning-disabled\
!\
interface Dot11Radio0.202\
encapsulation dot1Q 202\
no ip route-cache\
bridge-group 202\
bridge-group 202 subscriber-loop-control\
bridge-group 202 block-unknown-source\
no bridge-group 202 source-learning\
no bridge-group 202 unicast-flooding\
bridge-group 202 spanning-disabled\
!\
interface Dot11Radio0.203\
encapsulation dot1Q 203\
no ip route-cache\
bridge-group 203\
bridge-group 203 subscriber-loop-control\
bridge-group 203 block-unknown-source\
no bridge-group 203 source-learning\
no bridge-group 203 unicast-flooding\
bridge-group 203 spanning-disabled\
!\
interface Dot11Radio0.205\
encapsulation dot1Q 205\
no ip route-cache\
bridge-group 205\
bridge-group 205 subscriber-loop-control\
bridge-group 205 block-unknown-source\
no bridge-group 205 source-learning\
no bridge-group 205 unicast-flooding\
bridge-group 205 spanning-disabled\
!\
interface Dot11Radio0.210\
encapsulation dot1Q 210\
no ip route-cache\
bridge-group 210\
bridge-group 210 subscriber-loop-control\
bridge-group 210 block-unknown-source\
no bridge-group 210 source-learning\
no bridge-group 210 unicast-flooding\
bridge-group 210 spanning-disabled\
!\
interface FastEthernet0\
no ip address\
no ip route-cache\
duplex auto\
speed auto\
bridge-group 1\
no bridge-group 1 source-learning\
bridge-group 1 spanning-disabled\
!\
interface FastEthernet0.202\
encapsulation dot1Q 202\
no ip route-cache\
bridge-group 202\
no bridge-group 202 source-learning\
bridge-group 202 spanning-disabled\
!\
interface FastEthernet0.203\
encapsulation dot1Q 203\
no ip route-cache\
bridge-group 203\
no bridge-group 203 source-learning\
bridge-group 203 spanning-disabled\
!\
interface FastEthernet0.205\
encapsulation dot1Q 205\
no ip route-cache\
bridge-group 205\
no bridge-group 205 source-learning\
bridge-group 205 spanning-disabled\
!\
interface FastEthernet0.210\
encapsulation dot1Q 210\
no ip route-cache\
bridge-group 210\
no bridge-group 210 source-learning\
bridge-group 210 spanning-disabled\
!\
interface BVI1\
ip address 172.16.1.3 255.255.255.0\
no ip route-cache\
!\
ip default-gateway 172.16.1.1\
ip http server\
no ip http secure-server\
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag\
!\
snmp-server community public RO\
radius-server host 172.16.1.1 auth-port 1812 acct-port 1813 key blablablabla\
radius-server vsa send authentication\
bridge 1 route ip\
!\
!\
!\
line con 0\
line vty 0 4\
!\
end}------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
