Just for clarification, I want to make sure you understand our logic flow:
SSID Open: people will just connect to this on vlan 96 and instantly have
access (firewalled downstream to limited outgoing ports)
SSID Internal: people will connect to this on vlan 95, they will see the
registration portal, authenticate (via a different RADIUS server), and then
they will be switched to vlan 94 and have full network access
Looking over your replies, I started to think that maybe the scheme you
listed is more like for Guest access, they get the portal, and then users
that want full network access will have to have some other type of
credential and they never see a portal?
On Fri, Sep 14, 2012 at 8:56 AM, David Schiller <[email protected]> wrote:
>
> On Sep 14, 2012 4:51 AM, "Francois Gaudreault" <[email protected]>
> wrote:
> >
> > Hi,
> >
> > > Hello, I am trying to convert our inline packetfence setup into VLAN
> > > mode. I seem to be having trouble with SNMP traps being sent from our
> > > Cisco 1131's to the PF server. Although I have it configured to send
> > > all SNMP traps to PF, the only one that gets sent are DISASSOCIATE
> > > traps... check out this debug output from the switch:
> > >
> > > The trap is sent fine for the DISASSOC, but not for the ASSOC... any
> > > ideas why?
> > Don't put too much effort on that... PF is not consuming either traps.
> > Even if you send them, we will drop them :) PF talks only RADIUS or
> > SSH/Telnet (to perform deauth) to those APs. You may also need a read
> > community string setup, but that's basically it.
> >
> > >
> > > I also have some questions about this setup... can I do VLAN switching
> > > just by using SNMP traps? Or do I need 802.1x/MAC-auth set up to get
> > > that going? I don't believe that these switches support port-security.
> > You need to use AAA (RADIUS). This is the only way of doing dynamic
> > vlan assignment on aironets.
> >
>
> Ahhh, OK, I will try to set that up. Is it OK to have radius on PF doing
> VLAN stuff, and a different radius on another server for registration?
>
> > >
> > > Another issue I am having is with assigning VLAN's to be either
> > > Registration or Normal VLAN's... here's my desired VLAN breakdown:
> > >
> > > 96: Guest VLAN (this works)
> > > 95: Registration VLAN - hosts associate with an SSID with this VLAN,
> and
> > > after they register, they should be switched to VLAN 94
> > > 94: Normal(?) VLAN - hosts will be in here after they pass registration
> > > 93: this is my "native VLAN" for the switch, the switch has an IP
> > > address in this VLAN and this is the management VLAN for PF
> > > 92: MAC detect (?)
> > >
> > > So, using this scheme, I would put 96 as "Guest VLAN", and 92 as "Mac
> > > Detect VLAN", but what about the others? 95 should be a "Registration
> > > VLAN", obviously, but what about 94? Is that another "Registration
> > > VLAN", or is that a "Normal VLAN"? And what would I set 93 to be?
> > You assumptions are right. 94 would be the normal (aka Production)
> > VLAN, and you don't need to configure VLAN 93 on the PF side. This is
> > not a VLAN that you will return to the users.
> >
> > > Also, on the switch itself, I would like two SSID's: Open (for vlan
> 96),
> > > and Internal (for 95/94). When I create the SSID on the switch, do I
> > > just set Internal to VLAN 95? How does it know to use VLAN 94 instead
> > > after people register?
> > Ok here is the thing. Those APs will not allow you to use an encrypted
> > VLAN on a open SSID. So you need to a) avoid registration on the secure
> > SSID or b) have multiple registration vlans.
> >
> > Now the way it works is simple. If you refer to our network guide, you
> > will see that you need to tell the SSID which VLANs will be used (see
> > "vlan x backup y z" line). So let's take your VLANs, I would do :
> >
> > OPEN
> > - vlan 95 backup 96
> >
> > SECURE (802.1x w/ auto-reg for example)
> > - vlan 94
> >
> > You do not need the MAC detect VLAN on the wireless.
> >
> > I hope it helps. Feel free to ask more questions :)
> >
>
> Are you sure the vlans you listed are correct for my setup? You put open
> on 95 with 96 backup, but shouldn't OPEN just have 96, and Internal would
> be maybe 95 with 94 backup? It is a little unclear to me what the backup
> vlan is doing in this situation.
>
> Thanks for your help!
>
> > --
> > Francois Gaudreault, ing. jr
> > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
> > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> > (www.packetfence.org)
> >
> >
> ------------------------------------------------------------------------------
> > Got visibility?
> > Most devs has no idea what their production app looks like.
> > Find out how fast your code is with AppDynamics Lite.
> > http://ad.doubleclick.net/clk;262219671;13503038;y?
> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
