On 23-04-2020 18:19, Ludovic Zammit wrote:
Hello Erik,
If you check the routed network documentation you can see an example
for a remote site.
https://packetfence.org/doc/PacketFence_Installation_Guide.html#_routed_networks
With VLAN enforcement you would need to have one registration network
- VLAN per remote site.
On that remote registration VLAN interface you would configure an IP
helper toward your PacketFence layer2 registration interface. Once you
create that, On PacketFence you create the remote registration network
and PacketFence would know which IP to distribute based on the network.
I had seen that, thanks. But that seems to imply that PF must be
configured with each individual network. And I want to avoid that. We
are talking about many hundreds of sites/networks here. All of this is
handled by the VPN system already. Each site is provisioned via a web
portal, where the IP range is defined and sent to the sites DHCP-server.
I could add a module to the VPN system, that sends information about
each site to PF. But the DHCP service must remain on site. If only to
prevent problems should a site be unable to contact PF.
You would also need to create a switch configuration on PacketFence to
authorize the radius authentication incoming from that remote switch.
DHCP and Radius are two separate workflow.
Exactly. And I want to keep them separate. AAA by PF. And DHCP locally.
I don't actually have use case for profiling yet, but does it actually
require PF to be the DHCP server. Or can it do profiling if a local DHCP
helper somehow informs PF of which IP was locally assigned to which client?
I guess I will have to look into Fingerbank to see how that works in detail.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users