Hello Erik, If you check the routed network documentation you can see an example for a remote site.
https://packetfence.org/doc/PacketFence_Installation_Guide.html#_routed_networks <https://packetfence.org/doc/PacketFence_Installation_Guide.html#_routed_networks> With VLAN enforcement you would need to have one registration network - VLAN per remote site. On that remote registration VLAN interface you would configure an IP helper toward your PacketFence layer2 registration interface. Once you create that, On PacketFence you create the remote registration network and PacketFence would know which IP to distribute based on the network. You would also need to create a switch configuration on PacketFence to authorize the radius authentication incoming from that remote switch. DHCP and Radius are two separate workflow. RADIUS = Authentication - Authorization DHCP = Captive portal - Fingerbank profiling. Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Apr 23, 2020, at 11:52 AM, Erik <e...@vanlinsteeict.nl> wrote: > > > > On 23-04-2020 13:50, Ludovic Zammit wrote: >> Hello Erik, > > Hello Ludovic, > >> >> Yes it can assign VLAN only. > > Ah, nice. > >> Do you want a captive portal to register your devices or just do 802.1x/ mac >> authentication ? > > To begin with, just 802.1x and/or MAC auth. Local equipment can handle a > captive portal should that be necessary. May later via PF, but I don't see a > specific need anytime soon. > >> >> There a lot of feature that rely on DHCP handled by PacketFence for the >> captive portal, for example you will lose a good part the Profiling with >> Fingerbank that relies on DHCP traffic. > > Hmm, that might be interesting later on too. Will that require PF to actually > be the DHCP-server, or will it suffice that PF is kept informed by the local > DHCP-server? > > If PF needs to be the DHCP-server in those cases, would it be able to select > the correct IP range based on site specific attributes? > Because each site has its own specific IP range, but PF will see the entire > VPN as one big IP block. > > Like in the example below, where the entire range routed by the VPN > concentrator is 10.64.0.0/10. Devices must receive an IP within the range of > their own site. One way for PF to tell from which site the request is coming, > might be the IP of the local switch (NAS). > > PF (10.64.0.1/32) ---- VPN concentrator ---- site 1 (10.64.63.0/25) > | |------ site 2 (10.64.63.128/25) > |------ site 3 (10.64.64.0/24) > > Erik >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users