Pierrick,
I had in mind that you wanted to use out-of-band not Inline.
So you should not take it into account my comment about the second trunk.
Thank you
On 05/26/2016 10:51 AM, PROST pierrick wrote:
Fabrice and Antoine thanks for your help, we appreciate.
If I resume your mails, it will be something like that :
Wireless AP Packet Fence
XXXXXXX XXXX
+--------------------+ +-----------------+
+-----------+ XXXXXXXXXX XXX XX
| | | | |
| X XX
| | | | no routed network
| | XXXXXXXX XX
| | | <-----+-----> | (dedicated
subnet)| | XX XXXXXXX
| multiple SSID | | |
| | | X internet X
| one per VLAN +-------Trunk+---------eth1| |
|eth0---------fw-eth| FW +---+X X
| | + | | |
| | X XX
| | VLAN mngt | | | | |
| X XXXXX
| each SSID is | VLAN employee | | <-----+------> |
routed VLAN | | XXXXXX X X
| OPEN without | VLAN guest | | |
traffic | | XXX XXX X
| authentication | VLAN Eduroam | | |
| | XXXXXX XXX XXXX
| | | +-----------------+
+-----------+
| | |
| | +-->routing each
+--------------------+ | VLAN with next_hop => FW eth
|
|
+--> PacketFence internal DHCP server
| One DHCP per VLAN
| with gateway => packetfence
|
|
+--> PacketFence Inline Level 2 for each VLAN
with dedicated portal
Fabrice, you write that our AP need to be compliant with web auth and
802.1x, but actually we use open SSID AND portal authentication on our
POC (inline PF with two interfaces and NAT), it should works such or
POC with multiple portal (one per VLAN) no ? We will not doing Vlan
assignment.
Second (and easier) option, using NAT for each VLAN /SSID , not routing ?
Regards
Pierrick Prost
CNRS Rhones Alpes
France
*De :*Fabrice Durand [mailto:[email protected]]
*Envoyé :* jeudi 26 mai 2016 15:52
*À :* [email protected]
*Objet :* Re: [PacketFence-users] PKfence help for validate
architecture (VLAN trunk, no Vlan assignement, No NAT)
Hello Pierrick,
yes it should be possible, in fact it will be inline network per vlan
and you will have to play with ip route2 on the packetfence server.
Something like that:
vim /etc/iproute2/rt_tables
```
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 ISP2
```
ip route add 0.0.0.0/0 via 143.26.62.12 table ISP2
ou
ip route add 0.0.0.0/0 dev eth1 table 100
ip rule add iif eth0 lookup ISP2
Also it look like the AP is able to do web auth and 802.1x.
Regards
Fabrice
Le 2016-05-26 06:21, PROST pierrick a écrit :
Hi everyone,
We finished our test of packet fence .. this NAC is juste awesome
good job ! (I came from aruba Clearpass …)
We need your help to validate a POC. Is it possible to implement
the following architecture on packet fence ? We have a lot of
Linksys LAPAC 1750 who support VLAN TRUNK and SSID/ VLAN
assignation …and there are not compatible with openwrt.
10 Gbt/s backbone
WIFI AP <------------------------>
+--------------------+ +------------------------+
+-------------------+
| | | | |
| XXXXXXX XXXX
| | | Packet Fence
| | | XXXXXXXXXX XXX XX
| | Trunk eth1 | | |
| X XX
| multiple SSID | | |
| | XXXXXXXX XX
| one per VLAN +--------------------------+ | TRUNK
eth0 | | XX XXXXXXX
| | | |
| FW | X internet X
| | VLAN mngt | +--------------------------+
+------+X X
| | VLAN employee | |
| | X XX
| | VLAN guest | | VLAN mngt
| | X XXXXX
| | VLAN Eduroam | | VLAN
employee | | XXXXXX X X
| | | | VLAN guest |
| XXX XXX X
| | | | VLAN Eduroam |
| XXXXXX XXX XXXX
| | | |
| |
+--------------------+ +------------------------+
+-------------------+
Regards
Pierrick Prost
CNRS Rhones Alpes
France
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: +1.514.447.4918 *130 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
