Hi Owen, > The overall goal here is to be able to bounce users (both wired and > wireless) from one vlan to another based on policy (snort) AND to > force the client to "Agree to the TOS" on initial connection. Can you enlight me on the policy part? I am not sure to understand what you mean. If you are talking about a kind of AUP, this is entirely managed by the captive portal, SNORT has nothing to do about it. SNORT is only useful if you want to isolate people that are doing bad things. > Packet Fence seems to deliver just that, except for the fact that the > use of a radius server would suggest users would have to authenticate > against our account management backend (AD or LDAP). We do not want to > force users to have accounts to use this network. > Is there a pattern that will get me what I want without binding to > LDAP or AD? There is a technology called by many vendors MAC Filtering. On newer devices, you can use this feature to authenticate a mac address to the RADIUS server without using AD or LDAP usernames. However, this is NOT possible to do if you want to use PEAP or EAP-TLS/TTLS style authentication (WPA2 Enterprise), you can only use it with Open SSID, WEP, WPA personal (PSK) and WPA2 Personal (PSK). How mac filtering works is very simple, it sends to RADIUS the mac address of the device as the username. We then have a perl module hooked in RADIUS to talk with PacketFence. That module will ask PF to check the status of the node (mac address we receives) in its database, and will return to the AP the right RADIUS attributes with the proper VLAN id. > Do I even need to integrate radius? Yes. Otherwise, you won't be able to return the proper VLAN for your wireless nodes.
I hope it helps. -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
