Hi, today I played a little bit wirh the rule set.
The following workflow to reproduce my Problem: I have a portal page wich is registered to the SSID GAST-Dont-Use-It (It's my testing WLAN). I have a rule set for checking certificates (EAP-TLS) and for the SSID "Fraunhofer-PF" which is my Internal WLAN. If I connect a client, which is currently unregistered in PF to my GAST WLAN, pf is presenting the portal and I can login with an internal user which has assigned the role "guest". After that, the vlan is changing from registration VLAN to my Guest VLAN. Everything seems to be fine. Now, the client is connecting to Fraunhofer-PF, ok looks good, the 802.1x auth works and the vlan changes to my internal VLAN.... Now I move the client back to the guest WiFI. In the PF interface (Auditing) I can see that a news radius request is coming into PF, but PF sends back the "Internal" VLAN not the registration VLAN :( Source and Role doesn't change to guest. Gruß Tobias 2016-09-27 22:44 GMT+02:00 Tobias Friede <[email protected]>: > > Hi Antoine, > >> There is a reevaluate happening every time a user connect to a SSID as >> long as there is a new RADIUS request coming in. >> > that's what I expected. My Aerohive and my Cisco WLC of course send a > news Radius request... But pf doesn't reevaluate the acces, the old rule > from the first connection persists. > >> Now for what you want to do, you could create a set of rules in your >> source of authentication, AD I presume, and use the condition SSID. Send >> back the role guest if the SSID is guest, or apply your normal rules if the >> SSID is internal. >> > Yes, I have a rule for my WPA2 encrypted Wifi with 802.1x auth (no I don't > use AD Auth, I use our client certificates from our Windows CA and make a > EAP-TLS Authentification.) > In that rule, I defined the appropriate SSID. > > currently I use the Internal Database for guest Users, but how can I > configure a rule with internal users? Is it the "Legacy Source"? When I try > to edit that rule, I get the following message: > "Error! The file is not readable." > > > Greetings > Tobias > > On 09/21/2016 05:46 AM, Tobias Friede wrote: >> >> Hi, >> >> is it possible to reevaluate acces everytime, a client/user make a >> reconnect on our wifi? >> >> >> Greetings >> Tobias >> >> 2016-09-02 11:36 GMT+02:00 Tobias Friede <[email protected]>: >> >>> Hi, >>> >>> No one with an Idea how to fix my problem? >>> Or is it better to use two packetfence servers, one for internal >>> authentification and one for hotspot services? >>> >>> Greetings >>> Tobias >>> >>> 2016-09-01 9:20 GMT+02:00 Tobias Friede <[email protected]>: >>> > Hi, >>> > >>> > I have the following problem. I have 2 SSIDs: >>> > Guest and Internal. >>> > >>> > The Guest WiFi is OPEN an just secured with a captive page. The >>> > internal is secured wit 802.1x EAP-TLS >>> > If a user connects to the guest wifi and log in with a guest account, >>> > our Aerohive APS and Cisco WLC will move them to the correct vLAN. >>> > Everything seems to be fine. Unregistration via PF interface works >>> > fine too, so CoA is working. >>> > >>> > But If a user moves to the internal WiFi, the VLAN doesn't change back >>> > to the internal vLAN. >>> > The client still remains in guest VLAN, I think, because the client is >>> > registered for the guest user account. >>> > Is there any solution to solve this? >>> > >>> > >>> > >>> > Greetings >>> > Tobias >>> >> >> >> >> ------------------------------------------------------------------------------ >> >> >> >> _______________________________________________ >> PacketFence-users mailing >> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> -- >> Antoine [email protected] :: www.inverse.ca +1.514.447.4918 x130 >> :: +1 (866) 353-6153 x130 >> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence >> (www.packetfence.org) >> >> >> ------------------------------------------------------------ >> ------------------ >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
