> VLANs come from category criteria, and are assigned only by the first 802.1X > login.
That is mostly true, however your VLan is evaluated on each association. After reading Francios' email I will give you a hypothetical situation that my fit better into your deployment. Lets say you have an AD or LDAP backend that houses your users in different security groups. When a user in security group A authenticates PF will do a LDAP query and make a VLan assignment based on the logic you have defined. When that user logs out another user in security group B can then log into the SAME device and associate. Since local WiFi profiles are user based then they will need to provide their credentials to successfully auth to the wireless network. PF will see the new group membership and act accordingly, notice they will NOT be asked to register the device again. You can test this by configuring your connection NOT to cache credentials and entering two different users. We accomplish this with domains, we have multiple domains and you are assigned a VLan based on said domain. This assumes that you are using some kind of authentication mechanism that requires users to submit credentials BEFORE they are allowed to associate with the network. PEAP/MSCHAPv2 is an example. Once a user is on the network a VLan assignment has necessarily already been made ... at this point PF is out of the loop in a VLan deployment. If you want to have an open SSID with no user auth before the captive portal then you will need to do something like automatically un-registering the device as soon as a user disassociates, etc. However this would force your users to re-register every time too. It is my personal experience that open SSIDs are more trouble than they are worth. Open means open, trying to shoe-horn security into it makes trouble for everyone. I can't tell you how much trouble i have been through because people want the ease of open SSIDs with the security of WPA2 Enterprise ... it simply does not exist. Jake Sallee Godfather of Bandwidth Network Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Rich Graves [[email protected]] Sent: Wednesday, February 29, 2012 9:21 AM To: [email protected] Subject: Re: [Packetfence-users] PF and eduroam >> Oh yes, and this needs to be in full production no later than March 26. >> So the less code that needs to be written and debugged, the better. > > So you want a full 802.1x implementation from a new vendor in 1 month? You > sir, have what we call an aggressive time table! You will want to take > the age old HaE approach, that would be Hire an Expert. Call Inverse, buy > their support. They are amazing. Already done; my email follows an initial consult with Inverse. In one hour, they cleared up several things I'd been stuck on for a month, but they have not done an eduroam engagement before and did not have a (quick) answer to this question. Actually, the March 26 deadline only applies to the public/captive portal SSID. It would be nice to integrate the eduroam/secure SSID, but it's not strictly required. We already have eduroam violations feeding into a crufty home-grown system. I was hoping someone in the community had something to share. Looks like Peter has moved on to another role... I'll try to track down his successor. His "Customized violation notices" thread from July 2010 is also of interest. > We also place users in separate VLans depending on how they log in, in our > case students get placed on one VLan and Faculty/Staff on another. This > is decided by their credentials and if you configure the wireless connection > NOT to cache the creds then users can associate with the new vlan without > even logging out of the device. Interesting; I'll try it. I'm pretty sure I was told (by someone else on this list) that it would not work this way -- VLANs come from category criteria, and are assigned only by the first 802.1X login. Maybe the functionality that you depend on was broken by the performance optimizations touted in 3.1 and 3.2? ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
