Le 2014-01-29 09:40, Frederic Hermann a écrit : > Hi Fabrice, > > > >> It should be different for your access point, uci add >> wireless.@wifi-iface[0].macfilter=2 is not working in my access >> point. > Actually, I did change the /etc/config/wireless file that way: > > config wifi-iface > option device 'radio0' > option mode 'ap' > option ssid 'OpenWrt' > option encryption 'none' > option auth_server '192.168.1.1' > option auth_port '1812' > option auth_secret 's3cr3t' > option dynamic_vlan '2' > option vlan_file '/etc/config/hostapd.vlan' > option vlan_tagged_interface 'eth0' > option radius_das_port '3799' > option macfilter '2' > option radius_das_client '192.168.1.1 s3cr3t' > option network 'lan' > option acct_server '192.168.1.1' > option acct_port '1813' > option acct_secret 's3cr3t' > option nasid 'ubiquiti' > > and it works fine that way. > > I'm just wondering, what is the 'radius_das_client' line for exactly? It´s use to disconnect the device from the ssid to réévaluate the vlan id after registration. > >> Isolation and registration vlan are 2 separate ipv4 network, so why >> don´t you use this network as layer 2 network (packetfence is the >> dhcp, dns, default gateway of these 2 networks) and when the device >> is successfully register then you send another vlan id where you >> have your own dhcp, gateway .... ? or maybe i don´t understand your >> setup. > Yes, we just figure that was probably the best way to handle this. We intend > to have several 100s of AP sharing the same internet connection, though, and > we were used to have each AP behave as routers, dhcp servers, and DNS servers > to avoid too much load on the main router. > But you're right, and it's probably an openwrt configuration issue to achieve > this, and not a pf issue. > > >>> So my question is : should I manually (and statically) configure >>> the >>> registration and isolation vlans on openWRT ? How would pf interact >>> then with openwrt when a connecion request arrive? >> Yes you should but packetfence must receive the dhcp traffic and each >> time a device try to connect to your ssid then you receive a radius >> request. > ok, seems clear now. > > One last question : > if we have an openwrt AP configured in pf as a switch, with MAC auth, not > 802.1x, wich is also connected (by radio, using an hidden SSID) to one AP not > supported by pf (and not able to use vlan assignement over one SSID), is > there a way to control access to the network from PacketFence? In fact if you configure mac auth only on OpenWRT-Public (radius config), then only this ssid wil be managed by pf
> I guess that in that case, pf will get the MAC address of the remote AP, and > not the access of the remote Node connected to that AP ? > > Here is a small diagram to make it more clearer: > > pf -- R1 -- R2 -- AP1 -- AP2 -- User1,User2 > > R1 and R2 are routers, > AP1 is openwrt / SSID: OpenWRT-Public and Hidden SSID: secure-bridge > AP2 is no openwrt and not pf-aware / SSID: OpenWRT-Public and Hidden SSID: > secure-bridge > > If User1 and User2 connect to OpenWRT-Public SSID (on AP2), is there any way > pf could discriminate between User1, User2, and AP2 Mac Address, and provide > some kind of 'remote inline mode' ? > > > > > Thanks for your help, > > Fred > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
