Jonathan, Appreciate the assist. Spoke a wee bit with "God of Bandwidth" :) who had a blog/wiki/listserv entry and he also was of some help. Seems like there is more then just pointing to WiSM and away you go. I could see attaching the USER vlan directly OR putting a helper on the router interface would both do the trick. I think in the long haul, with multiple SSID's, multiple vlans per SSID (Interface group), the Helpers are easier. I can see that management may be as simple as telling PF what IP to bind to Apache, whether it be USER, Management, Other.
You seemed to mention "span port". I am unsure why I would need to span a port (Cisco terminology I hope). Can you elaborate? Registration and Isolation trunked - check. Support for RFC 3567 - wow, that is good to know. Not sure how come it cannot change vlans without that being enabled. That seems more like a crypto spec then a RADIUS change vlan spec. :) Seems like there is more configuration going on for just the WiSM's then for the rest of the system! Wish this all would be documented. Guess these emails are the documents. :) Sorry to hear WISM2 is "different" and giving you grief. Hopefully you will iron that out. Currently have WiSM and WCS running 7.x. They have never been able to fix all the dbsolid crashes. I hear the NCS is nice and WCS is going to be a dead end. Thoughts? Much Appreciated, Andrew -----Original Message----- From: Jonathan Karras [mailto:[email protected]] Sent: Thursday, November 10, 2011 5:05 PM To: [email protected] Subject: Re: [Packetfence-users] Newbie I'll try to answer the questions inline. We did a similar setup which worked ok until we put a WiSM2 in the mix. We haven't had a chance to figure out what the issue was yet. Disclaimer of I am just a user and I haven't tried 3.0 yet. On Thu, Nov 10, 2011 at 11:45 AM, Leopold, Andrew W (LLU) <[email protected]> wrote: > All, > > > > Thinking about using PF for Cisco WiSM's and LWAPP AP's. Saw some postings > that suggest I just need to point AAA at PF and be done with it, but I do > not believe it is all that simplistic. I am still trying to figure out > exactly what vlans should be on the nics of the system. I am confident the > registration and isolation vlans need to be trunked. Assuming I will be > changing vlans after registration using RADIUS attributes, then the first > question: > > > > 1. Whether the user vlan needs to be on a PF nic? I would like our > corporate DHCP/DNS to manage user vlan. We put the PF NIC on the user vlan and also setup the dhcplisteners on the pfsniffer port so they can see the DHCP traffic. We then use our campus DHCP servers just like we always have. > > > There is no real mentioning of a management vlan, yet I believe I need to > attach that to a nic on PF so I can access the Web GUI. Brings up question: > > > > 2. Do I need to add a management vlan to nic on PF and assign an > address? > We use the same NIC (VLAN subinterface) and IP as the user VLAN for the mgmt. > > Since our wireless has grown quite a bit and we do not desire to have too > large a broadcast domain, we are using Interface Groups which attach > multiple vlans to a dynamic interface on the WiSM's. Brings up more > questions: > > > > 3. Do I have to make any special provisions for PF? Maybe helpers on > those vlans point to management interface so dhcpdlisten can listen? >From my understanding if you just group all those in your SPAN port and set the dhcplistener up it should work. > > 4. Do I need to trunk the Registration and Isolation vlans to the > WiSM's? Yes, Just like any other VLAN you will need to trunk them to the WiSM and setup interfaces for them. > > 5. Relative to the WLAN configuration, what sort of special things > must I do there to make sure PF will work? Turn on MAC filtering and point the RADIUS for that SSID to the PF box. Packetfence will allow the client or move vlans with RADIUS. When defining the RADIUS server make sure and check the RFC 3567 check box so that PF can force a user to change VLAN's. Also make sure you point SNMP traps at the pfsense box. It didn't seem to work correctly until SNMP was sending traps. Along with that your WiSM's will send traps from the interface closest to the server. In our case this meant the user VLAN. Which meant we had to define the WiSM's twice in the config to make things work. Once with the public IP on the user VLAN and once with the mgmt IP so PF knew where to login with SSH and SNMP to do its needed magic. > > 6. How do I insure PF handles Web Auth and not Cisco? Turn off the Cisco web auth feature on your WiSM's for that WLAN. > > 7. What Interface do I attach WLAN to? The Registration vlan and let > AAA facilitate change to user vlan? We attached the normal user VLAN to the WLAN. On another note the RADIUS server is quite taxing on the MySQL instance. You should let it run for a bit then as noted in the performance tuning docs run the MySQL performance tuner and make adjustments as needed. This made a night and day difference for us while it was working. > > > > As you can see I am very green on this and seek assistance from someone who > is familiar with using PF on Cisco Wireless. Is there a collection of docs > out there that would explain some of this better? > > > > Thank you, > > > > Andrew > > > > > > > > > > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Save $700 by Nov 18 > Register now > http://p.sf.net/sfu/rsa-sfdev2dev1 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
