Hi Fabrice,
> It should be different for your access point, uci add > wireless.@wifi-iface[0].macfilter=2 is not working in my access > point. Actually, I did change the /etc/config/wireless file that way: config wifi-iface option device 'radio0' option mode 'ap' option ssid 'OpenWrt' option encryption 'none' option auth_server '192.168.1.1' option auth_port '1812' option auth_secret 's3cr3t' option dynamic_vlan '2' option vlan_file '/etc/config/hostapd.vlan' option vlan_tagged_interface 'eth0' option radius_das_port '3799' option macfilter '2' option radius_das_client '192.168.1.1 s3cr3t' option network 'lan' option acct_server '192.168.1.1' option acct_port '1813' option acct_secret 's3cr3t' option nasid 'ubiquiti' and it works fine that way. I'm just wondering, what is the 'radius_das_client' line for exactly? > Isolation and registration vlan are 2 separate ipv4 network, so why > don´t you use this network as layer 2 network (packetfence is the > dhcp, dns, default gateway of these 2 networks) and when the device > is successfully register then you send another vlan id where you > have your own dhcp, gateway .... ? or maybe i don´t understand your > setup. Yes, we just figure that was probably the best way to handle this. We intend to have several 100s of AP sharing the same internet connection, though, and we were used to have each AP behave as routers, dhcp servers, and DNS servers to avoid too much load on the main router. But you're right, and it's probably an openwrt configuration issue to achieve this, and not a pf issue. > > So my question is : should I manually (and statically) configure > > the > > registration and isolation vlans on openWRT ? How would pf interact > > then with openwrt when a connecion request arrive? > > Yes you should but packetfence must receive the dhcp traffic and each > time a device try to connect to your ssid then you receive a radius > request. ok, seems clear now. One last question : if we have an openwrt AP configured in pf as a switch, with MAC auth, not 802.1x, wich is also connected (by radio, using an hidden SSID) to one AP not supported by pf (and not able to use vlan assignement over one SSID), is there a way to control access to the network from PacketFence? I guess that in that case, pf will get the MAC address of the remote AP, and not the access of the remote Node connected to that AP ? Here is a small diagram to make it more clearer: pf -- R1 -- R2 -- AP1 -- AP2 -- User1,User2 R1 and R2 are routers, AP1 is openwrt / SSID: OpenWRT-Public and Hidden SSID: secure-bridge AP2 is no openwrt and not pf-aware / SSID: OpenWRT-Public and Hidden SSID: secure-bridge If User1 and User2 connect to OpenWRT-Public SSID (on AP2), is there any way pf could discriminate between User1, User2, and AP2 Mac Address, and provide some kind of 'remote inline mode' ? Thanks for your help, Fred ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
