Hello, I don't know your hardware but it's probably more easier to use the client isolation feature on the AP. Regards
Le mercredi 6 mars 2019, Tony W via PacketFence-users < [email protected]> a écrit : > Hi there, > > After having played around with PF and read heaps of implementation > samples, I have put together this list and have some questions. > > I do not plan to use the portal or registration pages with PF as all > authentication is via 802.1x - so here we go... > > 1. Use a wireless controller with a registration SSID (Registration VLAN). > 2. Have clients (Visitors) connect to the SSID and use 802.1x > authentication. DHCP provided by PF > 3. On success, put client in a different VLAN, predetermined by the > credentials provided. > 4. Each VLAN has a dedicated server that the client shall be able to > connect to. DHCP provided by PF > 5. Each server needs Internet access as does the client that has been > put in the VLAN. > 6. All Internet bound traffic shall go out via the Management interface. > 7. Management interface is connected to a firewall with Masquerade (NAT). > 8. It shall be possible to terminate the session from outside or by > client choice. (Go back to registration VLAN) > 9. The servers that the clients connect to, interact with external > equipment and that interaction can trigger a "disconnect" from the > VLAN. > 10. Disconnection may be triggered by client disassociation from > access point or by externally controlled disconnect. > 11. Only one client will ever be in any VLAN at any one time. > > > Fabrice has kindly given some pointers previously. Based on his > suggestions and documentation I have the following suggestion: > > I have created 10 VLAN's with 1 being for registration, using 802.1x > via a wireless controller and a public SSID. > The other 9 VLAN's are set to in-line layer 2, each with their own > distinct IP range (192.168.xx.0/24) > The interface, on which the 10 VLAN's are configured, is used to > listen for radius traffic and access my switches from the CLI of PF > (No VLAN, set to "other") > Each VLAN has DHCP enabled (It works, devices get DHCP assigned IP > addresses) > Management interface is set to 172.16.xx.yy with a gateway IP of > 172.16.xx.254 and is plugged into a firewall to the Internet (Internet > access OK). > Wireless Lan Controller is a Ruckus ZD1200 (Will later be a Cisco 5508) > > What is missing is: > > How to make the 9 servers (One in each VLAN) connect to the Internet > permanently but still be assigned IP addresses from the PF DHCP > server? > Preferably, I should be able to set up a static IP address for each > server in each VLAN - Documentation says this can be done by manually > configuring DHCP. > Is there a way to set these up and "manually" register them > permanently? Using an ACL or something similar. > > How to allow clients access to the Internet, once assigned to any of > the 9 VLAN's? The client shall still be assigned the appropriate IP > address by DHCP. > As there will only ever be 1 client in a VLAN at any one time, its MAC > address could be used to open up access, however, it needs to have PF > assign IP addresses. > > Finally, on receiving a "disconnect" signal from the external > equipment, the client shall be disconnected from the VLAN and > preferably disassociated from the WLC. > Is it even possible to tell the WLC to disassociate a client via PF, > maybe through the API. > > I know this is a very specific implementation but PF seems to have all > that would be needed to do this. > > Tony > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
