Hi,
ok, I can't solve it by myself, so I have ordered a Support Contract.
I hope Inverse can help me :D
If I get a solution, I will post it here :)
Greetings
Tobias
2016-09-28 9:58 GMT+02:00 Tobias Friede <[email protected]>:
> Hi,
>
> today I played a little bit wirh the rule set.
>
> The following workflow to reproduce my Problem:
>
> I have a portal page wich is registered to the SSID GAST-Dont-Use-It (It's
> my testing WLAN).
> I have a rule set for checking certificates (EAP-TLS) and for the SSID
> "Fraunhofer-PF" which is my Internal WLAN.
>
> If I connect a client, which is currently unregistered in PF to my GAST
> WLAN, pf is presenting the portal and I can login with an internal user
> which has assigned the role "guest".
> After that, the vlan is changing from registration VLAN to my Guest VLAN.
> Everything seems to be fine.
>
> Now, the client is connecting to Fraunhofer-PF, ok looks good, the 802.1x
> auth works and the vlan changes to my internal VLAN.... Now I move the
> client back to the guest WiFI. In the PF interface (Auditing) I can see
> that a news radius request is coming into PF, but PF sends back the
> "Internal" VLAN not the registration VLAN :(
>
> Source and Role doesn't change to guest.
>
>
> Gruß
> Tobias
>
>
> 2016-09-27 22:44 GMT+02:00 Tobias Friede <[email protected]>:
>
>>
>> Hi Antoine,
>>
>>> There is a reevaluate happening every time a user connect to a SSID as
>>> long as there is a new RADIUS request coming in.
>>>
>> that's what I expected. My Aerohive and my Cisco WLC of course send a
>> news Radius request... But pf doesn't reevaluate the acces, the old rule
>> from the first connection persists.
>>
>>> Now for what you want to do, you could create a set of rules in your
>>> source of authentication, AD I presume, and use the condition SSID. Send
>>> back the role guest if the SSID is guest, or apply your normal rules if the
>>> SSID is internal.
>>>
>> Yes, I have a rule for my WPA2 encrypted Wifi with 802.1x auth (no I
>> don't use AD Auth, I use our client certificates from our Windows CA and
>> make a EAP-TLS Authentification.)
>> In that rule, I defined the appropriate SSID.
>>
>> currently I use the Internal Database for guest Users, but how can I
>> configure a rule with internal users? Is it the "Legacy Source"? When I try
>> to edit that rule, I get the following message:
>> "Error! The file is not readable."
>>
>>
>> Greetings
>> Tobias
>>
>> On 09/21/2016 05:46 AM, Tobias Friede wrote:
>>>
>>> Hi,
>>>
>>> is it possible to reevaluate acces everytime, a client/user make a
>>> reconnect on our wifi?
>>>
>>>
>>> Greetings
>>> Tobias
>>>
>>> 2016-09-02 11:36 GMT+02:00 Tobias Friede <[email protected]>:
>>>
>>>> Hi,
>>>>
>>>> No one with an Idea how to fix my problem?
>>>> Or is it better to use two packetfence servers, one for internal
>>>> authentification and one for hotspot services?
>>>>
>>>> Greetings
>>>> Tobias
>>>>
>>>> 2016-09-01 9:20 GMT+02:00 Tobias Friede <[email protected]>:
>>>> > Hi,
>>>> >
>>>> > I have the following problem. I have 2 SSIDs:
>>>> > Guest and Internal.
>>>> >
>>>> > The Guest WiFi is OPEN an just secured with a captive page. The
>>>> > internal is secured wit 802.1x EAP-TLS
>>>> > If a user connects to the guest wifi and log in with a guest account,
>>>> > our Aerohive APS and Cisco WLC will move them to the correct vLAN.
>>>> > Everything seems to be fine. Unregistration via PF interface works
>>>> > fine too, so CoA is working.
>>>> >
>>>> > But If a user moves to the internal WiFi, the VLAN doesn't change back
>>>> > to the internal vLAN.
>>>> > The client still remains in guest VLAN, I think, because the client is
>>>> > registered for the guest user account.
>>>> > Is there any solution to solve this?
>>>> >
>>>> >
>>>> >
>>>> > Greetings
>>>> > Tobias
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> --
>>> Antoine [email protected] :: www.inverse.ca +1.514.447.4918 x130
>>> :: +1 (866) 353-6153 x130
>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
>>> (www.packetfence.org)
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>>
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
