Hi Nelson, my bad:
$portal_url="10.4.0.3"; => $portal_url='http://10.4.0.3'; $portal_url="10.5.0.3"; => $portal_url='http://10.5.0.3'; Regards Fabrice Le 2015-05-21 10:47, J Nelson a écrit : > Fabrice, > > I tried to add what you provided to the code of WLC_http.pm, but once > I do it, I get put into an endless redirect loop on both networks. I > do see that each network is trying to redirect to the proper portal > IP. I'm putting what I have in WLC_http.pm - i'm including some lines > before and after the code tweak you provided - just so you can see if > anything is missing before/after like a { or ; somewhere. > > my $role = $this->getRoleByName($user_role); > # Roles are configured and the user should have one > if (defined($role) && isenabled($this->{_RoleMap})) { > my $node_info = node_view($mac); > if ($node_info->{'status'} eq $pf::node::STATUS_REGISTERED) { > $radius_reply_ref = { > 'User-Name' => $mac, > $this->returnRoleAttribute => $role, > }; > } > else { > my (%session_id); > pf::web::util::session(\%session_id,undef,6); > $session_id{client_mac} = $mac; > $session_id{wlan} = $ssid; > $session_id{switch_id} = $this->{_id}; > my $portal_url; > if ( $ssid eq "Webreg-Production") { > $portal_url="10.4.0.3"; > }elsif ( $ssid eq "Augie-Guest") { > $portal_url="10.5.0.3"; > } else { > $portal_url=$this->{'_portalURL'}; > } > > $radius_reply_ref = { > 'User-Name' => $mac, > 'Cisco-AVPair' => > ["url-redirect-acl=$role","url-redirect=".$portal_url."/cep$session_id{_session_id}"], > }; > > } > $logger->info("[$mac] (".$this->{'_id'}.") Returning ACCEPT > with role: $role"); > } > > > > > On Wed, May 20, 2015 at 9:33 AM, Fabrice DURAND <[email protected] > <mailto:[email protected]>> wrote: > > Hi John, > > so you will have to go in the code because there is only one > portal url per switch config. > > So let's do a hack: > > https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Cisco/WLC_http.pm#L161 > > my $portal_url; > if ( $ssid eq "Staff") { > $portal_url="10.4.0.3"; > }elsif ( $ssid eq "Guest") { > $portal_url="10.5.0.3"; > } else { > $portal_url=$this->{'_portalURL'}; > } > > $radius_reply_ref = { > 'User-Name' => $mac, > 'Cisco-AVPair' => > > ["url-redirect-acl=$role","url-redirect=".$portal_url."/cep$session_id{_session_id}"], > }; > > > Regards > Fabrice > > > > Le 2015-05-20 09:40, J Nelson a écrit : >> Fabrice, I am purely Web Auth via Cisco WLC. >> >> So, in that configuration, I dont believe there is any way to >> change VLANs - as Web Auth is purely controlling access via ACL's >> on the WLC. >> - now if i'm wrong on this, I need to be pointed in the right >> direction. >> >> So, I am trying to figure out how to basically have two >> registration interfaces in a pure WLC Web Auth setup: >> Vlan4 - Staff/Fac >> Vlan5 - Guest >> >> but, it looks like I can only have portal, since i setup Vlan 4 >> first - the portal exists on that address space/subnet. So, the >> issue I'm having, when i join the Guest network, a client in that >> network is unable to get to the portal page. It looks like a >> redirect is happening, but i just cant get to it (the PF >> portal). The ACL on the WLC is indicating that the traffic is >> being passed, but I dont believe IPtables on the PF box is >> allowing it. A client in the Guest network definitely cannot get >> to http/https on the PF portal ip address (confirming via an NMAP >> scan). >> >> So i guess the question is, providing you understand what I'm >> trying to accomplish,can i have multiple Registration interfaces >> that use the same PF portal? And what are the configuration >> requirements? Throwing up two PF boxes - one for >> Staff/Fac/Student one for Guest would certainly work, just >> curious if I can do it all in one box. >> >> thanks.. >> >> On Wed, May 20, 2015 at 8:23 AM, Fabrice DURAND >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hello Nelson, >> >> i am not sure to understand what you really want to do. >> >> Let's say you have a registration network: VLAN 4 >> A production network for the staff and a production network >> for the guest (5). >> >> When a device is unreg then packetfence will return the vlan >> 5 and the device will hit the portal. >> Then depending if it's a Staff or a guest then after >> registration the device will be placed on his production >> network (depending of his role). >> >> Is it something like that you want to achieve ? >> >> Regards >> Fabrice >> >> >> Le 2015-05-19 14:18, J Nelson a écrit : >>> any role configured on a different subnet other than the >>> native subnet where the captive portal is located will not work. >>> >>> So, what i do have working is my Fac-Staff SSID which is on >>> VLAN 4/10.4.0.0/24 <http://10.4.0.0/24> >>> captive portal is located at: 10.4.0.3 >>> WLC is configured at Network | Switches | and is configured >>> to do Role by Switch Role, where WLC ACL’s are entered to >>> define Registration and then Fac-Staff access upon >>> registration. >>> >>> The Portal URL is in the Fac-Staff registration network - IP >>> address, in this case: 10.4.0.3 >>> >>> So, the problem I’m running into, is that i want Guests on a >>> different subnet and SSID other than where Fac-Staff >>> reside. So I create a new interface, on a different subnet, >>> as: Type - Registration, and configure a new SSID on the WLC >>> side. >>> >>> So, for now, I configure the WLC under switches with the >>> same ACL’s as Fac-Staff for the Guest role - just for >>> simplicity i’m using the same ACL’s for now, since I know >>> they work. >>> >>> The Guest network info is: vlan 5 | 10.5.0.0 >>> >>> So, when logging on as guest, it appears as though a >>> redirect attempts to happen, but doing a port scan shows >>> that a computer attached to the guest SSID does not have >>> http/https available to them on 10.4.0.3 - the captive portal. >>> >>> looking at the PF iptables config, it appears as though >>> there is a variable that says any registration network >>> should have access to the captive portal. but that seems t >>> not be the case. >>> >>> So, why am i trying to configure this? >>> with guests on a different vlan, i can very easily control >>> the bandwidth available to them in multiple places - from >>> the WLC, from the core switches, or from our NetEnforcer. >>> >>> Basic network configuration is correct: PF can ping guest >>> network gateway and WLC interfaces as well. >>> >>> But, it seems to me like its definitely in IPTables, but I'm >>> hesitant to make changes in case what i'm trying to >>> accomplish is way off base. >>> >>> Hopefully its somewhat clear what i’m trying to do here, any >>> ideas? >>> >>> -- >>> Justin Nelson >>> Network Engineer >>> Augustana College >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> One dashboard for servers and applications across >>> Physical-Virtual-Cloud >>> Widest out-of-the-box monitoring support with 50+ applications >>> Performance metrics, stats and reports that give you Actionable >>> Insights >>> Deep dive visibility with transaction tracing using APM Insight. >>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> -- >> Fabrice Durand >> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >> <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca <http://www.inverse.ca> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >> PacketFence (http://packetfence.org) >> >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across >> Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you >> Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> >> >> -- >> Justin Nelson >> Network Engineer >> Augustana College >> >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Fabrice Durand > [email protected] <mailto:[email protected]> :: +1.514.447.4918 > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across > Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable > Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > -- > Justin Nelson > Network Engineer > Augustana College > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
