On 07/02/12 10:45 AM, Sallee, Stephen (Jake) wrote:
> OK! So! Due to our Cisco hardware not being capable of dynamic vlan
> assignment while in HREAP mode we will most likely not be able to use the
> vlan assignment feature in PF. Cisco has stated that the ability may be
> available in the future but not now.
>
FYI I just documented the limitation in our pf::SNMP::Cisco::Aironet and
pf::SNMP::Cisco::WiSM (same as WLC) modules. Thanks for letting us know.
> To that end we have devised a workaround that involves statically assigning
> the vlan based on the SSID. We need to disable the vlan assignment feature
> in PF and we would also like to change the violation feature's behavior from
> placing the user into a isolation vlan (which is now impossible ... thanks to
> Cisco) to simply denying them access completely.
>
> If any one has done something like this please share your experiences.
As Francois said off-list (pasting it here for future reference):
>
> I might have an idea. We did that at another client facilities. In fact,
> two options:
> - Modify vlan/custom.pm to return nothing if the request comes from a
> particular AP ($node_info->{'last_switch'} eq 'someip')
> - Modify radius/custom.pm to bump the tunnel attributes if we receive say
> VLAN id 9999. In switches.conf, we would set vlan 9999 for the AP.
>
> It might do what you want if I assume that you won't do registration or
> isolation on that particular AP.
Regards,
--
Olivier Bilodeau
[email protected] :: +1.514.447.4918 *115 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
