Fabrice and Antoine thanks for your help, we appreciate.
If I resume your mails, it will be something like that :
Wireless AP Packet Fence
XXXXXXX XXXX
+--------------------+ +-----------------+
+-----------+ XXXXXXXXXX XXX XX
| | | |
| | X XX
| | | | no routed
network | | XXXXXXXX XX
| | | <-----+-----> | (dedicated
subnet)| | XX XXXXXXX
| multiple SSID | | | |
| | X internet X
| one per VLAN +-------Trunk+---------eth1| |
|eth0---------fw-eth| FW +---+X X
| | + | | |
| | X XX
| | VLAN mngt | | | |
| | X XXXXX
| each SSID is | VLAN employee | | <-----+------> | routed
VLAN | | XXXXXX X X
| OPEN without | VLAN guest | | |
traffic | | XXX XXX X
| authentication | VLAN Eduroam | | |
| | XXXXXX XXX XXXX
| | | +-----------------+
+-----------+
| | |
| | +-->routing each
+--------------------+ | VLAN with next_hop => FW eth
|
|
+--> PacketFence internal DHCP
server
| One DHCP per VLAN
| with gateway => packetfence
|
|
+--> PacketFence Inline Level 2
for each VLAN
with dedicated portal
Fabrice, you write that our AP need to be compliant with web auth and 802.1x,
but actually we use open SSID AND portal authentication on our POC (inline PF
with two interfaces and NAT), it should works such or POC with multiple portal
(one per VLAN) no ? We will not doing Vlan assignment.
Second (and easier) option, using NAT for each VLAN /SSID , not routing ?
Regards
Pierrick Prost
CNRS Rhones Alpes
France
De : Fabrice Durand [mailto:[email protected]]
Envoyé : jeudi 26 mai 2016 15:52
À : [email protected]
Objet : Re: [PacketFence-users] PKfence help for validate architecture (VLAN
trunk, no Vlan assignement, No NAT)
Hello Pierrick,
yes it should be possible, in fact it will be inline network per vlan and you
will have to play with ip route2 on the packetfence server.
Something like that:
vim /etc/iproute2/rt_tables
```
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 ISP2
```
ip route add 0.0.0.0/0 via 143.26.62.12 table ISP2
ou
ip route add 0.0.0.0/0 dev eth1 table 100
ip rule add iif eth0 lookup ISP2
Also it look like the AP is able to do web auth and 802.1x.
Regards
Fabrice
Le 2016-05-26 06:21, PROST pierrick a écrit :
Hi everyone,
We finished our test of packet fence .. this NAC is juste awesome good job ! (I
came from aruba Clearpass ...)
We need your help to validate a POC. Is it possible to implement the following
architecture on packet fence ? We have a lot of Linksys LAPAC 1750 who support
VLAN TRUNK and SSID/ VLAN assignation ...and there are not compatible with
openwrt.
10 Gbt/s backbone
WIFI AP
<------------------------>
+--------------------+ +------------------------+
+-------------------+
| | | |
| | XXXXXXX XXXX
| | | Packet Fence |
| | XXXXXXXXXX XXX XX
| | Trunk eth1 | |
| | X XX
| multiple SSID | | |
| | XXXXXXXX XX
| one per VLAN +--------------------------+ |
TRUNK eth0 | | XX XXXXXXX
| | | |
| FW | X internet X
| | VLAN mngt |
+--------------------------+ +------+X
X
| | VLAN employee | |
| | X XX
| | VLAN guest | |
VLAN mngt | | X XXXXX
| | VLAN Eduroam | |
VLAN employee | | XXXXXX X X
| | | |
VLAN guest | | XXX XXX X
| | | |
VLAN Eduroam | | XXXXXX XXX XXXX
| | | |
| |
+--------------------+ +------------------------+
+-------------------+
Regards
Pierrick Prost
CNRS Rhones Alpes
France
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
