Hi David, Not sure about the way you are using pf. Our setup is using out-of-band vlans. We do not use the SelectRole module. We use Default_registration_policy, and default_login_policy for our modules. Our authentication source is Active Directory.
An example: We have a server with 3 NICs Pf management address: 10.0.0.2/16 – vlan 1 Pf registration address: 10.90.0.2/16 – vlan 90 – used for captive portal Pf isolation address: 10.99.0.2/16 – vlan 99 – used for black holing things Then, on our switch, we have a user vlan. Vlan 20 with ip range of 10.20.0.0/16 Set switch management address to 10.100.0.3 (or whatever address you want) Set a RADIUS server to 10.0.0.2. Set DHCP helper for both 10.0.0.2 and your main DHCP server address for vlans 90, and 20. Set the access ports to MAB, and DOT1X Port Control Auto. Specific switch configurations will depend on the Switch make and model and capabilities. Check the documentation for your specific switch model. On the pf server, set up a switch with IP of 10.100.0.3 and enter vlan 20 for the role in the switch configuration - Role by VLAN ID. After doing some research, the SelectRole module looks like it used for manually selecting a role for a device? In our environment, we just go to the management interface, login with admin credentials, select the node (it’s autodiscovered by pf assuming the node uses DHCP), then apply a user, role, and an unregistration date. Click save, and the device will automatically change to vlan 20. Regards, Peter Truax Network Administrator (360) 688-2240 Saint Martin’s University 5000 Abbey Way E Lacey, WA 98503 [cid:[email protected]] From: David Brustad via PacketFence-users <[email protected]> Sent: Monday, January 21, 2019 11:54 PM To: [email protected] Cc: David Brustad <[email protected]> Subject: [External] [PacketFence-users] SelectRole/DNS/DHCP CAUTION: This email is from an outside sender. Do not click on links or open attachments unless you recognize the sender and know the content is safe. Hello Guys, PF Zen 8.3 Cisco WLC Cisco Router Production DHCP I'm having trouble using the SelectRole portal module. VLANS look like: 192.168.1.x 192.168.2.x 192.168.3.x 192.168.4.x 192.168.5.x and so on. PF admin IP is 192.168.1.200 Registration Interface is 192.168.10.10 Isolation interface is 192.168.11.10 So what I would like to provide is a portal where after the user registers their laptop or phone, they can hit the network logoff page, and jump back on the portal to log back in on another vlan using the SelectRole module. So far, registration and isolation work fine, and I can see the SelectRole module and select the role, and I get dropped into the VLAN selected. The issue is, I lose the ability to hit the IP of the administration page (192.168.1.200) from any of the other vlans if I put a packetfence interface in that vlan. On my network I was hoping to use the method of "interface in each vlan" with dhcp-listener flagged to get the DHCP traffic for those corresponding vlans. As soon as I drop an interface though in vlan 2 (192.168.2.10) and flagged dhcp-listener, 192.168.1.200 stops responding to pings from vlan 2, but 192.168.2.10 becomes pingable from within vlan 2. If I assign a portal to 192.168.2.10 it then is available within vlan 2, but how am I able to keep DNS clean when the fqdn of the portal page changes within each different vlan? As it is now, it will actually work, but when I land in vlan 2 the portal page is 192.168.2.10/status<http://192.168.2.10/status>, vlan 3 192.168.3.10/status<http://192.168.3.10/status> and so on. To verify this behavior I have a laptop sitting in vlan 2 (192.168.2.15) pinging 192.168.1.200 and I can toggle the pings on and off with the enable / disable toggle for the interface entry for 192.168.2.10 I guess the question is SelectRole compatible with dhcp-listener interfaces, or must it work only with ip-helpers? It was my understanding I should define a network interface for each of the vlans packetfence should touch in some way, is that correct? Has anyone else achieved this setup where you extensively use the portal for users to bounce between vlans, and if so what am I missing to wrap it all together? Many thanks for any tips, and thanks again for the amazing software. David
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
