Yes, right now I have one vlan setup. User connects to wifi (Cisco WLC). I
have setup Role by Switch Role, so it applies the
ACL Pre-Auth-For-WebRedirect (As outlined int he guide). It is also using
"Role by Web Auth URL" which works! The user is redirected to the portal to
register. After successful registration they receive the error saying there
is no connectivity even though there is (Thats another issue). Anyways I
can then browse on the internet.
However when I enforce a violation (Start a torrent), the pfdetect kicks
off, emails the admin, sets the role (But does not apply the associated ACL
with that role).
If I use other options in the violation like "Reevaluate Access Action" the
WLC Disconnects the Client, and when looking at client details its in
requesting DHCP state and ip is 0.0.0.0 however the client does not know
this.
So how do I apply the ACL without disconnecting the user and redirect them
to the violation template page I selected in the violations configuration?
On Thu, May 19, 2016 at 8:24 AM, Fabrice Durand <[email protected]> wrote:
> Hello Mister C,
>
> yes you can use a different ACL and redirection when the device is unreg,
> you just have to define the isolation role to your ACL defined on your WLC
> and set a webauth url for your isolation role.
>
> Regards
> Fabrice
>
>
>
> Le 2016-05-18 08:07, Mr C a écrit :
>
> Would it be better to ask if there is a way to just apply a different ACL
> and redirection instead of switching VLANs since that doesn't seem to work
> for isolation?
>
> On Mon, May 16, 2016 at 10:52 AM, Mr C <[email protected]> wrote:
>
>> I have everything working as it should.
>>
>> When a user hits a violation and it triggers everything does what it
>> should. The WLC changes the VLAN and ACL. However the client disassociates
>> and IP address shows on the WLC as 0.0.0.0 however the client itself does
>> not know this and keeps its old IP without getting a new one.
>>
>> The transition from registration VLAN => Guest VLAN works. However
>> transition from Guest VLAN => isolation does not. What is the difference?
>> After registration it switches VLANs and ACLs just fine, but when a
>> violation is triggered and VLANs/ACLs change it does not.
>>
>> here is violations.conf
>> [30000025]
>> actions=email_admin,reevaluate_access,log,role,enforce_provisioning
>> auto_enable=N
>> template=p2p
>> priority=1
>>
>> trigger=detect::2000334,detect::2000369,detect::2011699,detect::2010144,detect::2006375,detect::2008582
>> enabled=Y
>> desc=P2P BitTorrent
>> grace=30s
>> target_category=isolated
>> vlan=isolated
>> max_enable=1
>>
>> I did a debug on the WLC and it does everything as it should but here is
>> what it does:
>> 1. Deauth Client / Disassociate Client
>> 2. Change VLAN & ACL
>> 3. Request DHCP (no replies)
>>
>> IF I disconnect on my client and reconnect, everything works! I can in
>> the isolated VLAN and I get redirected to the violation webpage.
>>
>>
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
