Hello Tristan,
yes it´s possible and this is a simple work-flow.
I don´t know what hardware you are using but try to use radius instead
of port sec.
So per example you have a cisco 2960, so configure the switch port for
mac authentication bypass only
(https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#mac-authentication-bypass-only).
Create Student role and Staff (Configuration -> Roles).
On pf side configure the switch with all the information needed (ip,
radius secret, snmp, role, ...).
Set the vlan id to registration role that match the reg vlan (if it´s
remote network then the remote reg vlan id) of your switch and also the
Staff and Student role vlan too.
Then create an Active Directory source and define rules (set access
duration, set role based on group membership(the DN)).
And finally create a portal profile profile with as filter the switch ip
(can be another filter) and add the AD source.
So when you plug your laptop in a switch port then a radius request will
be sent to packetfence with the reg vlan in the answer.
The laptop will receive an ip,dns,gateway address from packetfence and
try to hit http://www.inverse.ca ;-) and the answer will be the ip of
the registration interface (the captive portal).
So based on the filter of the portal profile you will hit a specific
portal and see the AUP and ask you to fill the username and password
(test on Ad Source you created before).
If it´s ok and if the user match a rule then pf will send a deauth to
the switch and a new radius request will come and pf will answer the
vlan id based on the role.
That´s all.
Regards
Fabrice
Le 2014-12-19 19:44, Tristan Rhodes a écrit :
> Here is the functionality we want Packetfence to do:
>
> 1) We want new users to see a captive portal. This page forces the users
> to confirm that they have read the AUP, by logging into the captive portal
> with their Active Directory credentials.
>
> 2) If we manually disable a user from the Packetfence web-interface, the
> user will see a screen explaining what is happening and how to resolve the
> issue.
>
> Is this possible? If so, what settings would be required? I don't want
> users to mess with 802.1x on their computers; I'd rather they authenticate
> using the captive portal. Does this mean I need to use
> "port-security+SNMP" method of changing VLANS? What other settings?
>
> Cheers!
>
> Tristan
>
> *Tristan Rhodes*
> Network Engineer
> Weber State University
> 801.626.8549
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
