Thanks for your reaction. Want I want to achieve is that - users authenticate via 802.1X credentials, so they do not see the portal - users with normal hosts (laptops, etc) get a vlan based on their user id / group membership (I have set up per packetfence role an AD security group_ - users with mobiles (phone, tablets) get a vlan specificly for these devices.
I tried to achieve this by a VLAN filter: **************** [WJG] filter = ssid operator = is value = WJG [mobile] filter = node_info attribute = device_class operator = is value = Smartphones/PDAs/Tablets [1:WJG&mobile] scope = RegisteredRole role = iguest **** If the user is authenticating via 802.1X with his mobile phone, what happens is the following: 1) first connect: device is not known to packetfence - in role.pm, the vlan filter is not recognized/does not fire because the fingerprint info (the device class to be specific) is not available. - about one second after the getRegisteredRole in role.pm, the fingerprint is queried according to the fingerprint log. What happens then is that device gets assigned the VLAN that I associate with the user using a source (e.g. for laptops). 2) subsequent connects - the mobile phone is placed into the correct vlan - the fingerprint query is now in time From your answer I understand the first connect gives problems because the device is not known to PF yet. The problem is that by using a portal, you would first have a connect to the registration vlan, allowing PF to fingerprint the device, while with 802.1X the right VLAN should be assigned directly. Is there a workaround for this? Best, JG > Can you tell me if you already saw the first case on a first connection of a > device (the device is not known by PacketFence). > > The reason I’m asking is: > Fingerprint is based of different variables coming from the endpoint; > - dhcp fingerprint > - dhcp vendor > - user agent > - mac address > - … > > Fingerprinting process, since depend on some endpoint variables, is basically > happening at two different moments; > - after DHCP request > - after hitting the portal > > If you connect a an unknown device to an SSID, the device class won’t be > populated before a first DHCP request or portal hit, which mean, either > having to go through registration process or a initial VLAN assignement (for > DHCP to occur) > > Also, it need to be taken in consideration that the fingerprinting process is > async, which mean, other actions (that may or may not depend on the > fingerprinting result) can be triggered even if the fingerprinting process is > not > done. (using a queue) > > > Cheers! > -dw. > > — > Derek Wuelfrath > [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > > On Jun 27, 2016, at 09:36, frm frm <[email protected]> wrote: > > > > Hi, > > > > I try to give my mobile devices a specific VLAN via a filter: > > > > [WJG] > > filter = ssid > > operator = is > > value = WJG > > > > [mobile] > > filter = node_info > > attribute = device_class > > operator = is > > value = Smartphones/PDAs/Tablets > > > > [1:WJG&mobile] > > scope = RegisteredRole > > role = iguest > > > > My mobiles sometimes get the right VLAN but sometimes get the VLAN > > associated with the role of that user. > > > > Checking packetfence.log and fingerbank.log shows that sometimes the > > fingerprint is found *after* packetfence assigns the VLAN. Therefore > > in role.pm, the correct device_class is not found (I checked this with > > some debugging code) while checking fort he VLAN filter. > > Is it possibe that there is some race condition? Can I express in some > > way that packetfence should assign VLANs after fingerprinting of that > > device is finished? > > > > Best, > > > > JG > > > > > > ---------------------------------------------------------------------- > > -------- Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T > > Park in San Francisco, CA to explore cutting-edge tech and listen to > > tech luminaries present their vision of the future. This family event > > has something for everyone, including kids. Get more information and > > register today. > > http://sdm.link/attshape > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
