Fabrice, I am purely Web Auth via Cisco WLC.
So, in that configuration, I dont believe there is any way to change VLANs
- as Web Auth is purely controlling access via ACL's on the WLC.
- now if i'm wrong on this, I need to be pointed in the right direction.
So, I am trying to figure out how to basically have two registration
interfaces in a pure WLC Web Auth setup:
Vlan4 - Staff/Fac
Vlan5 - Guest
but, it looks like I can only have portal, since i setup Vlan 4 first - the
portal exists on that address space/subnet. So, the issue I'm having, when
i join the Guest network, a client in that network is unable to get to the
portal page. It looks like a redirect is happening, but i just cant get to
it (the PF portal). The ACL on the WLC is indicating that the traffic is
being passed, but I dont believe IPtables on the PF box is allowing it. A
client in the Guest network definitely cannot get to http/https on the PF
portal ip address (confirming via an NMAP scan).
So i guess the question is, providing you understand what I'm trying to
accomplish,can i have multiple Registration interfaces that use the same
PF portal? And what are the configuration requirements? Throwing up two PF
boxes - one for Staff/Fac/Student one for Guest would certainly work, just
curious if I can do it all in one box.
thanks..
On Wed, May 20, 2015 at 8:23 AM, Fabrice DURAND <[email protected]> wrote:
> Hello Nelson,
>
> i am not sure to understand what you really want to do.
>
> Let's say you have a registration network: VLAN 4
> A production network for the staff and a production network for the guest
> (5).
>
> When a device is unreg then packetfence will return the vlan 5 and the
> device will hit the portal.
> Then depending if it's a Staff or a guest then after registration the
> device will be placed on his production network (depending of his role).
>
> Is it something like that you want to achieve ?
>
> Regards
> Fabrice
>
>
> Le 2015-05-19 14:18, J Nelson a écrit :
>
> any role configured on a different subnet other than the native subnet
> where the captive portal is located will not work.
>
> So, what i do have working is my Fac-Staff SSID which is on VLAN 4/
> 10.4.0.0/24
> captive portal is located at: 10.4.0.3
> WLC is configured at Network | Switches | and is configured to do Role by
> Switch Role, where WLC ACL’s are entered to define Registration and then
> Fac-Staff access upon registration.
>
> The Portal URL is in the Fac-Staff registration network - IP address, in
> this case: 10.4.0.3
>
> So, the problem I’m running into, is that i want Guests on a different
> subnet and SSID other than where Fac-Staff reside. So I create a new
> interface, on a different subnet, as: Type - Registration, and configure a
> new SSID on the WLC side.
>
> So, for now, I configure the WLC under switches with the same ACL’s as
> Fac-Staff for the Guest role - just for simplicity i’m using the same ACL’s
> for now, since I know they work.
>
> The Guest network info is: vlan 5 | 10.5.0.0
>
> So, when logging on as guest, it appears as though a redirect attempts to
> happen, but doing a port scan shows that a computer attached to the guest
> SSID does not have http/https available to them on 10.4.0.3 - the captive
> portal.
>
> looking at the PF iptables config, it appears as though there is a
> variable that says any registration network should have access to the
> captive portal. but that seems t not be the case.
>
> So, why am i trying to configure this?
> with guests on a different vlan, i can very easily control the bandwidth
> available to them in multiple places - from the WLC, from the core
> switches, or from our NetEnforcer.
>
> Basic network configuration is correct: PF can ping guest network gateway
> and WLC interfaces as well.
>
> But, it seems to me like its definitely in IPTables, but I'm hesitant to
> make changes in case what i'm trying to accomplish is way off base.
>
> Hopefully its somewhat clear what i’m trying to do here, any ideas?
>
> --
> Justin Nelson
> Network Engineer
> Augustana College
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM
> Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Justin Nelson
Network Engineer
Augustana College
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
