Hello Sir,
1. Normally when you are sitting in the registration network and you try to do
an authentication on the captive portal, PacketFence will send a CoA (Change of
authorization) to the switch/equipment in order to switch the VLAN of the
device. Most of the time it happen in Radius (CoA) but if the switch doesn’t
support it, PacketFence tries to do just a shutdown and up on the port in order
to regenerate the radius request to apply the new VLAN. In that case the device
knows that he needs to redo the DHCP because the link is briefly cut. But when
you use the CoA the device doesn’t know that the VLAN changed on the switch,
the only option that you have is to put a short lease time on the registration
network like PacketFence has a 30 secs lease time on the registration network
by default. So every 30 secs your device ask for a new IP, if the VLAN changed,
the device end up the production VLAN.
2. Basically PacketFence manages two VLANs the Registration and Isolation
VLANs. Meaning he will be the DNS, Gateway and DHCP server in this VLAN.
PacketFence will just return VLAN IDs to a switch or wireless controller, he
doesn’t need to be part of your production having a network card in all those
VLANs.
3. With 802.1x there is two types of authentication, User authentication and
Computer authentication. With user authentication you will authenticate a user
that belong to a specific domain. You can authenticate all the users you want
on a computer with the User authentication mode, the process will verify if the
user is in your Active directory and also if the password match. The Computer
authentication is very similar but it’s the computer sending out the
information as host/hostname.domain.name to PacketFence and PacketFence will
try to authenticate this account in your AD. The particularity of both is that
with computer authentication, your computer needs to be joined to only one
domain (yours) and the other hand, the computer where you do the user
authentication doesn’t need to be joined to the domain.
On both cases you will need to configure your 802.1x supplicant on the computer
where you try to do the authentication.
Thanks and have a nice day!
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>)
and PacketFence (http://packetfence.org <http://packetfence.org/>)
> Le 16 mai 2016 à 16:38, TOURE Amidou Florian <[email protected]> a
> écrit :
>
> Hi all,I have installed Packetfence 6.0 on my computer and it seems to be
> worked fine since I can authenticate a user,But I don't understand 3 points
> on my configuration:
> -First when I plug a user on the switchport its put on the registration vlan
> and I do the authentication but after the authentication the user mooves to
> the correct vlan but doesn't get an IP from this vlan.When I do a second
> authentication with the same user it gets an IP address from his vlan but
> cannot access to the web captive portail(I think that it is my DNS
> configuration).How can I do to authenticate the user directly and put it on
> the correct vlan after the authentication?
> -Second on my packetfence when I want to configure DNS for my vlans I can do
> it only for one vlan but I cannot use this configuration to do the resolution
> for all the vlans.Can I use packetfence DNS configuration to do the
> resolution of my of personnal vlans?I'm very confused on this point.
> -Third I remarked that on my Packetfence I cannot authenticate a user on the
> same computer name.Would I create specifics account for all my users?I'm
> using a Windows Server AD.
> Thanks
> Regards
> Amidou
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
