On Aug 11, 2015, at 9:19 , Dennis Schulmeyer <[email protected]> wrote:
> I have to admit that I’m relatively new to this topic… but I’ve read lot’s of
> stuff about it…:)
> So I tried different configurations and found that only a combination of
> linkUp/Down and 802.1x/MAB can satisfy our needs.
> What I don’t understand is how a new IP assignment should work without
> linkDown and Up again for a non 802.1x/MAB (out-of-band) client.
> For example: Guest users are put in the "registration VLAN", then they
> authenticate via web portal, then they are put into the "guest VLAN“.. But
> the clients won’t search for a new IP address unless the network connection
> will be disconnected… thats why I use linkUP/Down via snmp …
That is why we send a radius disconnect request to the switch.
The flow is something like this:
1. The device connects to a port
2. The switch sends a radius request for that port
3. We reply with the registration VLAN
4. The use registers the device on the captive portal
5. Upon registration, a radius disconnect packet is sent to the switch, which
triggers…
6. A new radius request from the switch for the same device, as if the device
had just connected
7. A new radius reply is sent, this time with the production VLAN
Your device should see the disconnection at step 5 and requests a new IP.
To ensure that, we set the default lease time in the registration VLAN to 30
seconds.
So the most time most clients will spend with an incorrect lease should be 15
seconds, and that’s only if they don’t notice the disconnection.
>
> Before I reconfigure all my test equipment, can you confirm that I’ll make
> this all with RADIUS auth. only?
Yes. Test it for yourself.
Get familiar with radius by running it in debug mode (radiusd -d
/urs/local/pf/raddb -X).
Time spent there to understand how all of this works will be very rewarding.
>
> fyi: what we have here is…(stupid)Panasonic IP phones, Cisco C2960 + C3750
> switches, Cisco WAC+APs, MS AD Source and all different kinds of clients..
> wired and wireless.., 4 different VLANs to put users in, depending on group
> membership or machine name.
The Panasonic stupid(tm) phones are the only ones I have not tested with this.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
