Hello Fabrice, I am happy to do away with in-line and do a full implementation at layer 2, but I have no control over the network the traffic originates from. That network will pass me the VLAN's and allow radius communication with the wireless controller as well as pass me the required VLAN's.
The clients come in on wireless only so not sure if the above even matters. 802.1x will get clients into the VLAN's required via wireless controller. I may be able to send a disassociation request back to the controller to bump the client off the network and should be able to cancel the registration of the MAC address in PF (How exactly?) The servers in the VLAN's need to have permanent access to the Internet whilst the clients coming to the VLAN's need access control so that their access can be revoked. PF should take care of that. If PF can fully manage the clients access to the VLAN's, I can use the PF API (Hopefully) to control access from the outside systems. I would still want PF to manage DHCP for all clients at the registration time as well as re-issue new IP addresses when the clients get put into the VLAN's with the servers. I have not mentioned this before, but having the ability to redirect the client to a web page informing them that their "session" has ended is something that I would like to be able to do. Tony On Thu, 7 Mar 2019 at 00:30, Fabrice Durand via PacketFence-users <[email protected]> wrote: > > Hello Tony, > > you can do that with inline network but there is a limitation. > > When a device is in the inline network then it mean that the locationlog > changed to inline and after that there is no way to disconnect the > device from the equipment because PacketFence think that it's inline. > > What you will need to have is a sort of inline l2 network but not really > managed by packetfence (like iptables rules) but still have the dhcp > enabled on this network. > > It's doable but you need to play with the iptables rules and have a dhcp > enabled on the pf server for theses vlan. > > Regards > > Fabrice > > > Le 19-03-05 à 22 h 09, Tony W via PacketFence-users a écrit : > > Hi there, > > > > After having played around with PF and read heaps of implementation > > samples, I have put together this list and have some questions. > > > > I do not plan to use the portal or registration pages with PF as all > > authentication is via 802.1x - so here we go... > > > > 1. Use a wireless controller with a registration SSID (Registration VLAN). > > 2. Have clients (Visitors) connect to the SSID and use 802.1x > > authentication. DHCP provided by PF > > 3. On success, put client in a different VLAN, predetermined by the > > credentials provided. > > 4. Each VLAN has a dedicated server that the client shall be able to > > connect to. DHCP provided by PF > > 5. Each server needs Internet access as does the client that has been > > put in the VLAN. > > 6. All Internet bound traffic shall go out via the Management interface. > > 7. Management interface is connected to a firewall with Masquerade (NAT). > > 8. It shall be possible to terminate the session from outside or by > > client choice. (Go back to registration VLAN) > > 9. The servers that the clients connect to, interact with external > > equipment and that interaction can trigger a "disconnect" from the > > VLAN. > > 10. Disconnection may be triggered by client disassociation from > > access point or by externally controlled disconnect. > > 11. Only one client will ever be in any VLAN at any one time. > > > > > > Fabrice has kindly given some pointers previously. Based on his > > suggestions and documentation I have the following suggestion: > > > > I have created 10 VLAN's with 1 being for registration, using 802.1x > > via a wireless controller and a public SSID. > > The other 9 VLAN's are set to in-line layer 2, each with their own > > distinct IP range (192.168.xx.0/24) > > The interface, on which the 10 VLAN's are configured, is used to > > listen for radius traffic and access my switches from the CLI of PF > > (No VLAN, set to "other") > > Each VLAN has DHCP enabled (It works, devices get DHCP assigned IP > > addresses) > > Management interface is set to 172.16.xx.yy with a gateway IP of > > 172.16.xx.254 and is plugged into a firewall to the Internet (Internet > > access OK). > > Wireless Lan Controller is a Ruckus ZD1200 (Will later be a Cisco 5508) > > > > What is missing is: > > > > How to make the 9 servers (One in each VLAN) connect to the Internet > > permanently but still be assigned IP addresses from the PF DHCP > > server? > > Preferably, I should be able to set up a static IP address for each > > server in each VLAN - Documentation says this can be done by manually > > configuring DHCP. > > Is there a way to set these up and "manually" register them > > permanently? Using an ACL or something similar. > > > > How to allow clients access to the Internet, once assigned to any of > > the 9 VLAN's? The client shall still be assigned the appropriate IP > > address by DHCP. > > As there will only ever be 1 client in a VLAN at any one time, its MAC > > address could be used to open up access, however, it needs to have PF > > assign IP addresses. > > > > Finally, on receiving a "disconnect" signal from the external > > equipment, the client shall be disconnected from the VLAN and > > preferably disassociated from the WLC. > > Is it even possible to tell the WLC to disassociate a client via PF, > > maybe through the API. > > > > I know this is a very specific implementation but PF seems to have all > > that would be needed to do this. > > > > Tony > > > > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > Fabrice Durand > [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
