Thank you for your efforts, Derek. I applied your fix (I opened that file with a text editor and changed just that line, is that enough?), I reenabled that option, as you told me to do so, and tested that situation again (connect to the first network, authenticate through the captive portal, then disconnect and connect to the second network).
The first time, it worked as expected. The captive portal of the second network was shown: login and password fields. But then, once authenticated on the second network, I did it the way back (I disconnected from the second network and connected to the first network), my cell phone notified me to login. When I clicked the notification and the browser opened, the captive portal of the first network showed me not the login and password fields, but a message like "Your network should be enabled within a minute or two. If it is not reboot your computer". And enabled my device. I believe the captive portal should present the login and password fields again. Then, I checked the Nodes tab on PacketFence, and my device ended up with an IP address from the first network, but a role from the second, similar to what happened before. I tested changing networks many times. It seems like now PacketFence does not behave the same way all the time: sometimes it shows me the login form, sometimes it says my network should be enabled within a minute or two (and then access to the network is granted), sometimes my cell phone does not even notify me about authentication and access is granted immediately. We don't believe that our users are going to really do something like that (e.g. connect to the Patients Wi-Fi, authenticate as a valid patient, then connect to the Corporative Wi-Fi and get access granted automatically, although not being a valid employee). But realizing that was possible made us concerned about security, so we ended up using two different servers to manage two Wi-Fi networks, but we would like to use just PacketFence, if that problem gets solved. I'm going to try Jake's suggestion, but I did not understand it completely. Maybe I would need a howto. As I said, I already setup Network filters on the Portal Profiles configuration screen. Shouldn't that be sufficient? Thank you again! 2017-01-16 15:52 GMT-02:00 Derek Wuelfrath <dwuelfr...@inverse.ca>: > > Antonio, > > So I tested the flow described and discovered a code issue when it comes to > the IP reevaluation workflow. > I opened an issue (https://github.com/inverse-inc/packetfence/issues/1963) > and fixed it with the commit id > (https://github.com/inverse-inc/packetfence/commit/73ab8151017d49e1006f5f8bc37bbf401a69cb1f) > > Please try to apply that fix to your setup, reenable the “Reauthenticate > node” configuration parameter under Configuration > Inline and let me know if > that works. > > Cheers! > -dw. > > -- > Derek Wuelfrath > de...@inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > On Jan 13, 2017, at 17:01, viny <vinyanali...@gmail.com> wrote: > > In principle, in the hospital where I work, what we wanted was to use > PacketFence to manage both of our wireless networks, as I reported > here: https://sourceforge.net/p/packetfence/mailman/message/35511813/ > > Unless you configure PacketFence otherwise [...] > > > We would like to configure PacketFence so that it automatically > unregisters any node that leaves a first network and enters a second > one, showing that node the second network's captive portal so it must > register again to use the second network. But we don't know how to > achieve that. Do you have any idea on how to do it? > > If you could shed some light on that problem, we would be very > thankful. We could shutdown pfSense and use only PacketFence. > > Let me explain our setup. > > In our first experiment with PacketFence, we have set up its interfaces > this way: > > - eth0: Management > - eth0 VLAN ID 500: Inline Layer 2, IP address 10.100.32.1/20 > - eth0 VLAN ID 600: Inline Layer 2, IP address 10.100.64.1/20 > > And we have set up Ubiquiti APs to serve two wireless networks: > > (1) SSID Corporative Wi-Fi: VLAN ID 500 > (2) SSID Patients Wi-Fi: VLAN ID 600 > > Following the Administration Guide, in PacketFence: > > - We have created two user roles: (1) Employee and (2) Patient > - We have added two authentication sources: (1) Active Directory with a > rule so that Role = Employee and (2) external HTTP API with a rule so > that Role = Patient > - We have created two portal profiles: (1) Employee, with a filter > Network = 10.100.32.0/20 and Source = Active Directory and (2) Patient > with a filter Network = 10.100.64.0/20 and Source = external HTTP API > > So, what happens? (let me retype the relevant portion of my first > email) > > We have noticed that if we connect to the Corporative Wi-Fi and > > authenticate through the captive portal, then disconnect and connect > to the Patients Wi-Fi, its captive portal is not shown and access to > that second network is granted. In the end, the device is shown on the > Nodes table with an IP Address from the Patients network, but Role = > Corporative. > > > Enabling the option Reauthenticate node (Should have to reauthenticate > > the node if vlan change) in Configuration > Main > Inline did not > help. > > > Is there any way we could enforce reauthentication if the user exits > > one network and enters another? > > Thank you in advance! > > > Antonio > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
