I'm not a packetfence developer but I kinda asked the same question a while ago, because I had the same scenario as you: regular user VLAN using 802.1x and guest user VLAN without 802.1x on the WIRED network.
>From what I understood, you would need here to use MAC authentication, in the switch you can set 802.1x first, and then use MAC authentication if no 802.1x frame are detected. That way,when a guest will plug in, the switch receives no 802.1x and after a certain timeout, it will embed the MAC address of the guest inside a 802.1x frame to the radius server. Then the rest is a usual. Since PacketFence can not authenticate this, it will redirect the user to the Registration VLAN, where the guest could register and then will be put in a guest VLAN. Next time the guest plugs in, with the default rules of packetfence, it shoud be directly set in the guest VLAN. Of course, in this setup, MAC spoofing is possible but since this is the guest VLAN (generally only Internet Access), this should pose low risk if your VLAN are correctly configured and hardened on your switches ;) For my part, I'm still struggling with the radius configuration with kerberos >< Hope it clarify things a bit. 2015-05-31 11:48 GMT+02:00 mourik jan heupink <heup...@gmail.com>: > Hi Louis, list, > > Things are progressing nicely here: Currently we have pf running inline > (with registration portal) for the wlan, and in 802.1x mode for the > wired network. > > It's all very cool, and it works great :-) > > There is however one remaing scenario we would like to do: > > Suppose an unkown client (device plus user) connects to the wired > (802.1x) network. The user does not exist in samba4 AD, therefore > cannot provide 802.1x network credentials. > > On our switch (procurve 5400) I have defined a WLAN VLAN specific for > the wifi (packetfence inline) > > Would it be possible somehow to make this unkown user/device get the > registration portal (nota bene: on the WIRED network), register > hem/herself, and then put on the WLAN VLAN? > > The purpose of this: we would be able to provide an open wired network > for guest access the same way we currently have our 'open wireless > network'. > > The problem, the way I see it now, is that ports are either 802.1x, or > not. As packetfence can do so much, perhaps it has a solution for this > as well? > > Regards, > Mourik Jan > > > On 05/26/2015 05:21 PM, Louis Munro wrote: > > Then how about chgrp pf /var/lib/samba/winbindd_privileged/ ? > > > > I believe this is only an issue using sernet packages. > > > > Regards, > > -- > > Louis Munro > > lmu...@inverse.ca <mailto:lmu...@inverse.ca> :: www.inverse.ca > > <http://www.inverse.ca> > > +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 > > Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) > > and PacketFence (www.packetfence.org <http://www.packetfence.org>) > > > > > > > > > > > ------------------------------------------------------------------------------ > > One dashboard for servers and applications across Physical-Virtual-Cloud > > Widest out-of-the-box monitoring support with 50+ applications > > Performance metrics, stats and reports that give you Actionable Insights > > Deep dive visibility with transaction tracing using APM Insight. > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > > > > > > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Nicolas Gailly
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
