Hi there, After having played around with PF and read heaps of implementation samples, I have put together this list and have some questions.
I do not plan to use the portal or registration pages with PF as all authentication is via 802.1x - so here we go... 1. Use a wireless controller with a registration SSID (Registration VLAN). 2. Have clients (Visitors) connect to the SSID and use 802.1x authentication. DHCP provided by PF 3. On success, put client in a different VLAN, predetermined by the credentials provided. 4. Each VLAN has a dedicated server that the client shall be able to connect to. DHCP provided by PF 5. Each server needs Internet access as does the client that has been put in the VLAN. 6. All Internet bound traffic shall go out via the Management interface. 7. Management interface is connected to a firewall with Masquerade (NAT). 8. It shall be possible to terminate the session from outside or by client choice. (Go back to registration VLAN) 9. The servers that the clients connect to, interact with external equipment and that interaction can trigger a "disconnect" from the VLAN. 10. Disconnection may be triggered by client disassociation from access point or by externally controlled disconnect. 11. Only one client will ever be in any VLAN at any one time. Fabrice has kindly given some pointers previously. Based on his suggestions and documentation I have the following suggestion: I have created 10 VLAN's with 1 being for registration, using 802.1x via a wireless controller and a public SSID. The other 9 VLAN's are set to in-line layer 2, each with their own distinct IP range (192.168.xx.0/24) The interface, on which the 10 VLAN's are configured, is used to listen for radius traffic and access my switches from the CLI of PF (No VLAN, set to "other") Each VLAN has DHCP enabled (It works, devices get DHCP assigned IP addresses) Management interface is set to 172.16.xx.yy with a gateway IP of 172.16.xx.254 and is plugged into a firewall to the Internet (Internet access OK). Wireless Lan Controller is a Ruckus ZD1200 (Will later be a Cisco 5508) What is missing is: How to make the 9 servers (One in each VLAN) connect to the Internet permanently but still be assigned IP addresses from the PF DHCP server? Preferably, I should be able to set up a static IP address for each server in each VLAN - Documentation says this can be done by manually configuring DHCP. Is there a way to set these up and "manually" register them permanently? Using an ACL or something similar. How to allow clients access to the Internet, once assigned to any of the 9 VLAN's? The client shall still be assigned the appropriate IP address by DHCP. As there will only ever be 1 client in a VLAN at any one time, its MAC address could be used to open up access, however, it needs to have PF assign IP addresses. Finally, on receiving a "disconnect" signal from the external equipment, the client shall be disconnected from the VLAN and preferably disassociated from the WLC. Is it even possible to tell the WLC to disassociate a client via PF, maybe through the API. I know this is a very specific implementation but PF seems to have all that would be needed to do this. Tony _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
