Hi Francois, Thanks for the good info and the model Aironet config.
Our AP config was pretty close to the model ; we trimmed a few things and all seems pretty good (but see below). Ah ! CLI means command line interface - I was ahead of (or behind) myself, I had thought it was a bit of switch esoterica (spanning-trees, or ...). Glad it was something simple. It hadn't been set up before (I didn't know that it was being used). It's functional now, via SSH. So, thanks for the guidance ; it's all working a treat now - except one, small, final point : the final deauthentication of the borne, *after* the captive portal, and its validation, has completed. There seems to be a problem reading the final deauthentication trap. I don't think it's a config issue (but I could be wrong ...) The bizarre thing is that if I perform the step manually, following your instructions for pfcmd_vlan, it *does* work. What is puzzling is that, presumably, pfcmd_vlan uses the config setup from PF (switches.conf ...). Why should it work manually - and not at the end of the captive portal process ? Here are the logs : 'Normal' PF handling of captive portal sequence (doesn't work ...) : Jan 05 15:09:01 pf::WebAPI(19867) INFO: handling radius autz request: from switch_ip => ip.ip.ip.ip, connection_type => Wireless-802.11-NoEAP mac => nn:nn:nn:nn:nn:nn, port => 269, username => nnnnnnnnnnnn (pf::radius::authorize) Jan 05 15:09:01 pf::WebAPI(19867) WARN: Unable to extract SSID for module pf::SNMP::Cisco::Aironet_1250. SSID-based VLAN assignments won't work. Please let us know so we can add support for it. (pf::SNMP::extractSsid) Jan 05 15:09:01 pf::WebAPI(19867) INFO: MAC: nn:nn:nn:nn:nn:nn, PID: xxxxxxxx, Status: reg. Returned VLAN: 6 (pf::radius::_findNodeVlan) Jan 05 15:09:01 pf::WebAPI(19867) INFO: Returning ACCEPT with VLAN: 6 (pf::radius::authorize) Jan 05 15:09:03 pfsetvlan(5) WARN: unable to parse trapLine.. here's the line: ip.ip.ip.ip ||dot11Deauthentication|||nn:nn:nn:nn:nn:nn (main::startTrapHandlers) Jan 05 15:09:03 pfsetvlan(5) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Jan 05 15:09:03 pfsetvlan(5) INFO: doWeActOnThisTrap returns false. Stop dot11Deauthentication handling (main::handleTrap) Jan 05 15:09:03 pfsetvlan(5) INFO: finished (main::cleanupAfterThread) Manual deauthentication (works ...) : Jan 05 15:13:54 pfcmd_vlan(0) DEBUG: instantiating new SwitchFactory object (pf::SwitchFactory::new) Jan 05 15:13:54 pfcmd_vlan(0) DEBUG: reading config file /usr/local/pf/conf/switches.conf (pf::SwitchFactory::readConfig) Jan 05 15:13:54 pfcmd_vlan(0) DEBUG: creating new pf::SNMP::Cisco::Aironet_1250 object (pf::SwitchFactory::instantiate) Jan 05 15:13:54 pfcmd_vlan(0) DEBUG: start handling 'deauthenticate' command (main::) Jan 05 15:13:55 pfcmd_vlan(0) DEBUG: finished handling 'deauthenticate' command (main::) Hope you can see what's obvious that I'm missing ... Thanks again for the attention, Chris On Tue 4.Jan'11 at 11:03:26 -0500, Francois Gaudreault wrote: > Hi Chris, > >Yes, please, if you would, send the Aironet configuration example. > In attachment. The example config is for an Aironet 1200 series, > but it should give you a good idea how to configure yours. > >I'd like to be a bit redundant here to clarify my understanding of the > >terminology : > > > >Our 'public' vlan (6) is unsecured by 802.1X (secured by captive > >portal only) and will have vlan 102 as 'registration' and vlan 103 as > >'isolation'. (that's vlan 102 backup 6) > Yes. > >Our 'secured' vlans (28 and 32) *are* secured by 802.1X ; will they > >need 'registration' vlans to auto register themselves with > >PacketFence ? Presumably they would be : > > > > vlan 202 backup 28 (having vlan 203 as 'isolation' vlan) > > vlan 302 backup 32 (having vlan 303 as 'isolation' vlan) > If you plan to use 802.1X with auto-registration, you will NOT need > any other registration VLAN. Radius will take care of the user > authentication. Since the perl module runs in the post-auth > section, we consider that if the request is reaching the post-auth > section, that means the user is valid, and should be > auto-registered. We consider the captive portal a useless step when > using 802.1X since the captive portal login credentials are usually > taken from the same LDAP :) > >Can you point me to some documentation for auto registering them ? > >Also, it's not clear to me, would they then validate directly against > >freeRadius - or validate via PacketFence as part of the auto > >registration process ? > You will find a code snippet in /usr/local/pf/lib/pf/vlan/custom.pm > >Finally, sorry, I'm not certain what CLI is - can you, again, point me > >to some documentation ? > This means using Telnet or SSH. Have a look in switches.conf : > cliTransport = Telnet > cliUser = > cliPwd = > cliEnablePwd = > > I hope this helps. > > -- > Francois Gaudreault, ing. jr > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
