I'll try to answer the questions inline. We did a similar setup which worked ok until we put a WiSM2 in the mix. We haven't had a chance to figure out what the issue was yet.
Disclaimer of I am just a user and I haven't tried 3.0 yet. On Thu, Nov 10, 2011 at 11:45 AM, Leopold, Andrew W (LLU) <[email protected]> wrote: > All, > > > > Thinking about using PF for Cisco WiSM’s and LWAPP AP’s. Saw some postings > that suggest I just need to point AAA at PF and be done with it, but I do > not believe it is all that simplistic. I am still trying to figure out > exactly what vlans should be on the nics of the system. I am confident the > registration and isolation vlans need to be trunked. Assuming I will be > changing vlans after registration using RADIUS attributes, then the first > question: > > > > 1. Whether the user vlan needs to be on a PF nic? I would like our > corporate DHCP/DNS to manage user vlan. We put the PF NIC on the user vlan and also setup the dhcplisteners on the pfsniffer port so they can see the DHCP traffic. We then use our campus DHCP servers just like we always have. > > > There is no real mentioning of a management vlan, yet I believe I need to > attach that to a nic on PF so I can access the Web GUI. Brings up question: > > > > 2. Do I need to add a management vlan to nic on PF and assign an > address? > We use the same NIC (VLAN subinterface) and IP as the user VLAN for the mgmt. > > Since our wireless has grown quite a bit and we do not desire to have too > large a broadcast domain, we are using Interface Groups which attach > multiple vlans to a dynamic interface on the WiSM’s. Brings up more > questions: > > > > 3. Do I have to make any special provisions for PF? Maybe helpers on > those vlans point to management interface so dhcpdlisten can listen? >From my understanding if you just group all those in your SPAN port and set the dhcplistener up it should work. > > 4. Do I need to trunk the Registration and Isolation vlans to the > WiSM’s? Yes, Just like any other VLAN you will need to trunk them to the WiSM and setup interfaces for them. > > 5. Relative to the WLAN configuration, what sort of special things > must I do there to make sure PF will work? Turn on MAC filtering and point the RADIUS for that SSID to the PF box. Packetfence will allow the client or move vlans with RADIUS. When defining the RADIUS server make sure and check the RFC 3567 check box so that PF can force a user to change VLAN's. Also make sure you point SNMP traps at the pfsense box. It didn't seem to work correctly until SNMP was sending traps. Along with that your WiSM's will send traps from the interface closest to the server. In our case this meant the user VLAN. Which meant we had to define the WiSM's twice in the config to make things work. Once with the public IP on the user VLAN and once with the mgmt IP so PF knew where to login with SSH and SNMP to do its needed magic. > > 6. How do I insure PF handles Web Auth and not Cisco? Turn off the Cisco web auth feature on your WiSM's for that WLAN. > > 7. What Interface do I attach WLAN to? The Registration vlan and let > AAA facilitate change to user vlan? We attached the normal user VLAN to the WLAN. On another note the RADIUS server is quite taxing on the MySQL instance. You should let it run for a bit then as noted in the performance tuning docs run the MySQL performance tuner and make adjustments as needed. This made a night and day difference for us while it was working. > > > > As you can see I am very green on this and seek assistance from someone who > is familiar with using PF on Cisco Wireless. Is there a collection of docs > out there that would explain some of this better? > > > > Thank you, > > > > Andrew > > > > > > > > > > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Save $700 by Nov 18 > Register now > http://p.sf.net/sfu/rsa-sfdev2dev1 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
