Hi there, I have been toying with different options. I have a WiFi network controlled by a Cisco 5508 with Cisco AP's. The network is not mine and I have little control over it.
Would it be better to use PF to control a Cisco switch and run the access control through the 10 VLAN's, via that switch (It needs to be there anyway)? I was thinking of the 802.1x from the AP controller and when the controller puts the client in the appropriate VLAN, the switch allows access. When the "session" ends, revoke access and get the controller to disassociate the client from the AP. Could I still use PF for all DHCP services? I can use an external firewall for access to the Internet so no need for in-line. Does this sound feasible? On Wed, 6 Mar 2019 at 17:36, G PL via PacketFence-users <[email protected]> wrote: > > Hello, > I don't know your hardware but it's probably more easier to use the client > isolation feature on the AP. > Regards > > Le mercredi 6 mars 2019, Tony W via PacketFence-users > <[email protected]> a écrit : >> >> Hi there, >> >> After having played around with PF and read heaps of implementation >> samples, I have put together this list and have some questions. >> >> I do not plan to use the portal or registration pages with PF as all >> authentication is via 802.1x - so here we go... >> >> 1. Use a wireless controller with a registration SSID (Registration VLAN). >> 2. Have clients (Visitors) connect to the SSID and use 802.1x >> authentication. DHCP provided by PF >> 3. On success, put client in a different VLAN, predetermined by the >> credentials provided. >> 4. Each VLAN has a dedicated server that the client shall be able to >> connect to. DHCP provided by PF >> 5. Each server needs Internet access as does the client that has been >> put in the VLAN. >> 6. All Internet bound traffic shall go out via the Management interface. >> 7. Management interface is connected to a firewall with Masquerade (NAT). >> 8. It shall be possible to terminate the session from outside or by >> client choice. (Go back to registration VLAN) >> 9. The servers that the clients connect to, interact with external >> equipment and that interaction can trigger a "disconnect" from the >> VLAN. >> 10. Disconnection may be triggered by client disassociation from >> access point or by externally controlled disconnect. >> 11. Only one client will ever be in any VLAN at any one time. >> >> >> Fabrice has kindly given some pointers previously. Based on his >> suggestions and documentation I have the following suggestion: >> >> I have created 10 VLAN's with 1 being for registration, using 802.1x >> via a wireless controller and a public SSID. >> The other 9 VLAN's are set to in-line layer 2, each with their own >> distinct IP range (192.168.xx.0/24) >> The interface, on which the 10 VLAN's are configured, is used to >> listen for radius traffic and access my switches from the CLI of PF >> (No VLAN, set to "other") >> Each VLAN has DHCP enabled (It works, devices get DHCP assigned IP addresses) >> Management interface is set to 172.16.xx.yy with a gateway IP of >> 172.16.xx.254 and is plugged into a firewall to the Internet (Internet >> access OK). >> Wireless Lan Controller is a Ruckus ZD1200 (Will later be a Cisco 5508) >> >> What is missing is: >> >> How to make the 9 servers (One in each VLAN) connect to the Internet >> permanently but still be assigned IP addresses from the PF DHCP >> server? >> Preferably, I should be able to set up a static IP address for each >> server in each VLAN - Documentation says this can be done by manually >> configuring DHCP. >> Is there a way to set these up and "manually" register them >> permanently? Using an ACL or something similar. >> >> How to allow clients access to the Internet, once assigned to any of >> the 9 VLAN's? The client shall still be assigned the appropriate IP >> address by DHCP. >> As there will only ever be 1 client in a VLAN at any one time, its MAC >> address could be used to open up access, however, it needs to have PF >> assign IP addresses. >> >> Finally, on receiving a "disconnect" signal from the external >> equipment, the client shall be disconnected from the VLAN and >> preferably disassociated from the WLC. >> Is it even possible to tell the WLC to disassociate a client via PF, >> maybe through the API. >> >> I know this is a very specific implementation but PF seems to have all >> that would be needed to do this. >> >> Tony >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
