Hi Nicolas, I did some testing with the filter you suggested but still can't solve the situation. I captured the logs of a connection attempt in the following scenario: User is already logged in to SSID WIFIHOTSPOT (Role WIFIHOTSPOT) and switches to SSID WIFIGUEST.
"Aug 26 16:24:38 LXPFENCE01 packetfence_httpd.aaa: httpd.aaa(16631) INFO: [mac:00:11:22:33:44:55] handling radius autz request: from switch_ip => (172.30.204.130), connection_type => Wireless-802.11-NoEAP,switch_mac => (00:00:00:00:00:00), mac => [00:11:22:33:44:55], port => 1, username => "00:11:22:33:44:55", ssid => WIFIGUEST (pf::radius::authorize) Aug 26 16:24:38 LXPFENCE01 packetfence_httpd.aaa: httpd.aaa(16631) INFO: [mac:00:11:22:33:44:55] Instantiate profile CP-WIFIGUEST (pf::Connection::ProfileFactory::_from_profile)” So far so ok, packetfence receives WLC request via CP-WIFIGUEST connection profile > However, after that, packetfence looks for the current node role in its > database. "Aug 26 16:24:38 LXPFENCE01 packetfence_httpd.aaa: httpd.aaa(16631) INFO: [mac:00:11:22:33:44:55] Connection type is Wireless-802.11-NoEAP. Getting role from node_info (pf::role::getRegisteredRole) Aug 26 16:24:38 LXPFENCE01 packetfence_httpd.aaa: httpd.aaa(16631) INFO: [mac:00:11:22:33:44:55] Username was defined "00:11:22:33:44:55" - returning role 'WIFIHOTSPOT' (pf::role::getRegisteredRole) Aug 26 16:24:38 LXPFENCE01 packetfence_httpd.aaa: httpd.aaa(16631) INFO: [mac:00:11:22:33:44:55] PID: "[email protected]", Status: reg Returned VLAN: (undefined), Role: WIFIHOTSPOT (pf::role::fetchRoleForNode)" > Since the node already has a role defined packetfence sends the > "Authorize_any" ACL to the WLC and user access is allowed without the > WIFIGUEST (sponsor) network authentication process being performed. "Aug 26 16:24:38 LXPFENCE01 packetfence_httpd.aaa: httpd.aaa(16631) INFO: [mac:00:11:22:33:44:55] (172.30.204.130) Added role Authorize_any to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Aug 26 16:24:38 LXPFENCE01 packetfence_httpd.aaa: httpd.aaa(16631) INFO: [mac:00:11:22:33:44:55] Adding web authentication redirection to reply using role: 'Authorize_any' and URL: 'http://wifiaraujo.araujo.com.br/Cisco::WLC/sidb43377?' (pf::Switch::Cisco::WLC::returnRadiusAccessAccept)" Thanks, Emannuel Souza [email protected] 31 987377864 > Em 20 de ago de 2019, à(s) 17:44, Emannuel Souza <[email protected]> > escreveu: > > Thanks, I'll check it out. > > Em ter, 20 de ago de 2019 às 10:47, Nicolas Quiniou-Briand <[email protected] > <mailto:[email protected]>> escreveu: > Hello, > > I will try something like that: > > #v+ > [last_ssid_wifihotspot] > filter = node_info.last_ssid > operator = is > value = WIFIHOTSPOT > > [ssid_wifiguest] > filter = ssid > operator = is > value = WIFIGUEST > > [node_reg] > filter = node_info.status > operator = is > value = reg > > [node_role_hotspot] > filter = node_info.category > operator = is > value = ID OF HOTSPOT role > > [deauth_from_wifihotspot:last_ssid_wifihotspot&ssid_wifiguest&node_reg&node_role_hotspot] > scope = RegisteredRole > action = modify_node > action_param = mac = $mac, status = unreg, autoreg = no > role = registration > #v- > > -- > Nicolas Quiniou-Briand > [email protected] <mailto:[email protected]> :: +1.514.447.4918 *140 :: > https://inverse.ca <https://inverse.ca/> > Inverse inc. :: Leaders behind SOGo (https://sogo.nu <https://sogo.nu/>), > PacketFence > (https://packetfence.org <https://packetfence.org/>) and Fingerbank > (http://fingerbank.org <http://fingerbank.org/>)
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
