Hello all,
I have set up a new packetfence server set up with dynamic vlans in
out-of-band and am having issues with the captive portal popping up when
clients connect to the AP. The clients get put into the registration vlan
and are assigned the registration interface as the DNS server. blackhole
DNS seems to be working as all dns requests get forwarded to the
registration interface's IP address and the client is able to ping that
address.
tcpdump is showing a lot of these:
pf.domain.com.https > 10.11.100.13.53213: Flags [R.], seq 0, ack
4117981027, win 0, length 0
The address 10.11.100.13 is the client that is connected to the AP that
will need to register with the captive portal.
netstat is showing the following:
netstat -tnlp | grep http
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN
1995/httpd
tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN
1995/httpd
tcp 0 0 127.0.0.1:7070 0.0.0.0:* LISTEN
1892/httpd
tcp 0 0 10.10.0.68:7070 0.0.0.0:* LISTEN
1892/httpd
tcp 0 0 127.0.0.1:9090 0.0.0.0:* LISTEN
1879/httpd
tcp 0 0 10.10.0.68:9090 0.0.0.0:* LISTEN
1879/httpd
tcp 0 0 10.10.0.68:1443 0.0.0.0:* LISTEN
1832/httpd
tcp 0 0 10.10.0.68:1444 0.0.0.0:* LISTEN
1995/httpd
tcp 0 0 0.0.0.0:5252 0.0.0.0:* LISTEN
1844/httpd
tcp 0 0 10.10.0.68:9191 0.0.0.0:* LISTEN
1832/httpd
tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN
1939/httpd
tcp6 0 0 :::8888 :::* LISTEN
1787/pfhttpd
tcp6 0 0 :::8889 :::* LISTEN
1787/pfhttpd
tcp6 0 0 :::8777 :::* LISTEN
1793/pfhttpd
10.10.0.68 is the management interface of my pf server. I'm not sure if
this looks correct. Should I have port 80 and 443 mapped to my management
interface?
My pf.conf looks like this:
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=domain.com
#
# general.hostname
#
# Hostname of PacketFence system. This is concatenated with the domain in
Apache rewriting rules and therefore must be resolvable by clients.
hostname=pf
#
# general.dhcpservers
#
# Comma-delimited list of DHCP servers. Passthroughs are created to allow
DHCP transactions from even "trapped" nodes.
dhcpservers=127.0.0.1,10.10.0.254
#
# general.timezone
#
#System's timezone in string format. List generated from Perl library
DataTime::TimeZone
timezone=America/New_York
[alerting]
#
# alerting.emailaddr
#
# Email address to which notifications of rogue DHCP servers, violations
with an action of "email", or any other
# PacketFence-related message goes to.
emailaddr=
#
# alerting.smtpserver
#
# Server through which to send messages to the above emailaddr. The
default is localhost - be sure you're running an SMTP
# host locally if you don't change it!
smtpserver=aspmx.l.google.com
[database]
#
# database.user
#
# Username of the account with access to the MySQL database used by
PacketFence. Changing this parameter after the initial configuration will
*not* change it in the database it self, only in the configuration.
user=
#
# database.pass
#
# Password for the mysql database used by PacketFence. Changing this
parameter after the initial configuration will *not* change it in the
database it self, only in the configuration.
pass=
[services]
#
# services.pfbandwidthd
#
# Should pfbandwidthd be managed by PacketFence?
pfbandwidthd=enabled
[captive_portal]
#
# captive_portal.network_detection_ip
#
# This IP is used as the webserver who hosts the
common/network-access-detection.gif which is used to detect if network
# access was enabled.
# It cannot be a domain name since it is used in registration or quarantine
where DNS is blackholed.
# It is recommended that you allow your users to reach your packetfence
server and put your LAN's PacketFence IP.
# By default we will make this reach PacketFence's website as an easy
solution.
#
network_detection_ip=10.10.0.68
[interface eth0]
ip=10.10.0.68
type=management,portal
mask=255.255.252.0
[interface eth0.200]
enforcement=vlan
ip=10.10.100.253
type=internal
mask=255.255.255.0
[interface eth0.201]
enforcement=vlan
ip=10.10.101.253
type=internal
mask=255.255.255.0
Should eth0.200 and eth0.201 be of type internal? Shouldn't they say
registration and isolation?
Thanks for any help you can provide. If you need more information let me
know.
--
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY 12303
518-836-2341
--
IMPORTANT NOTICE: This message and any attachments are solely for the
intended recipient and may contain confidential information, which is, or
may be, legally privileged or otherwise protected by law from further
disclosure. If you are not the intended recipient, any disclosure, copying,
use, or distribution of the information included in this email and any
attachments is prohibited. If you have received this communication in
error, please notify the sender by reply email and immediately and
permanently delete this email and any attachments.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
