Hi John, so you will have to go in the code because there is only one portal url per switch config.
So let's do a hack: https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Cisco/WLC_http.pm#L161 my $portal_url; if ( $ssid eq "Staff") { $portal_url="10.4.0.3"; }elsif ( $ssid eq "Guest") { $portal_url="10.5.0.3"; } else { $portal_url=$this->{'_portalURL'}; } $radius_reply_ref = { 'User-Name' => $mac, 'Cisco-AVPair' => ["url-redirect-acl=$role","url-redirect=".$portal_url."/cep$session_id{_session_id}"], }; Regards Fabrice Le 2015-05-20 09:40, J Nelson a écrit : > Fabrice, I am purely Web Auth via Cisco WLC. > > So, in that configuration, I dont believe there is any way to change > VLANs - as Web Auth is purely controlling access via ACL's on the WLC. > - now if i'm wrong on this, I need to be pointed in the right direction. > > So, I am trying to figure out how to basically have two registration > interfaces in a pure WLC Web Auth setup: > Vlan4 - Staff/Fac > Vlan5 - Guest > > but, it looks like I can only have portal, since i setup Vlan 4 first > - the portal exists on that address space/subnet. So, the issue I'm > having, when i join the Guest network, a client in that network is > unable to get to the portal page. It looks like a redirect is > happening, but i just cant get to it (the PF portal). The ACL on the > WLC is indicating that the traffic is being passed, but I dont believe > IPtables on the PF box is allowing it. A client in the Guest network > definitely cannot get to http/https on the PF portal ip address > (confirming via an NMAP scan). > > So i guess the question is, providing you understand what I'm trying > to accomplish,can i have multiple Registration interfaces that use > the same PF portal? And what are the configuration requirements? > Throwing up two PF boxes - one for Staff/Fac/Student one for Guest > would certainly work, just curious if I can do it all in one box. > > thanks.. > > On Wed, May 20, 2015 at 8:23 AM, Fabrice DURAND <[email protected] > <mailto:[email protected]>> wrote: > > Hello Nelson, > > i am not sure to understand what you really want to do. > > Let's say you have a registration network: VLAN 4 > A production network for the staff and a production network for > the guest (5). > > When a device is unreg then packetfence will return the vlan 5 and > the device will hit the portal. > Then depending if it's a Staff or a guest then after registration > the device will be placed on his production network (depending of > his role). > > Is it something like that you want to achieve ? > > Regards > Fabrice > > > Le 2015-05-19 14:18, J Nelson a écrit : >> any role configured on a different subnet other than the native >> subnet where the captive portal is located will not work. >> >> So, what i do have working is my Fac-Staff SSID which is on VLAN >> 4/10.4.0.0/24 <http://10.4.0.0/24> >> captive portal is located at: 10.4.0.3 >> WLC is configured at Network | Switches | and is configured to do >> Role by Switch Role, where WLC ACL’s are entered to define >> Registration and then Fac-Staff access upon registration. >> >> The Portal URL is in the Fac-Staff registration network - IP >> address, in this case: 10.4.0.3 >> >> So, the problem I’m running into, is that i want Guests on a >> different subnet and SSID other than where Fac-Staff reside. So >> I create a new interface, on a different subnet, as: Type - >> Registration, and configure a new SSID on the WLC side. >> >> So, for now, I configure the WLC under switches with the same >> ACL’s as Fac-Staff for the Guest role - just for simplicity i’m >> using the same ACL’s for now, since I know they work. >> >> The Guest network info is: vlan 5 | 10.5.0.0 >> >> So, when logging on as guest, it appears as though a redirect >> attempts to happen, but doing a port scan shows that a computer >> attached to the guest SSID does not have http/https available to >> them on 10.4.0.3 - the captive portal. >> >> looking at the PF iptables config, it appears as though there is >> a variable that says any registration network should have access >> to the captive portal. but that seems t not be the case. >> >> So, why am i trying to configure this? >> with guests on a different vlan, i can very easily control the >> bandwidth available to them in multiple places - from the WLC, >> from the core switches, or from our NetEnforcer. >> >> Basic network configuration is correct: PF can ping guest network >> gateway and WLC interfaces as well. >> >> But, it seems to me like its definitely in IPTables, but I'm >> hesitant to make changes in case what i'm trying to accomplish is >> way off base. >> >> Hopefully its somewhat clear what i’m trying to do here, any ideas? >> >> -- >> Justin Nelson >> Network Engineer >> Augustana College >> >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Fabrice Durand > [email protected] <mailto:[email protected]> :: +1.514.447.4918 > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across > Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable > Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > -- > Justin Nelson > Network Engineer > Augustana College > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
