Re: [PacketFence-users] Reregister if SSID is changing
Hi, ok, I can't solve it by myself, so I have ordered a Support Contract. I hope Inverse can help me :D If I get a solution, I will post it here :) Greetings Tobias 2016-09-28 9:58 GMT+02:00 Tobias Friede: > Hi, > > today I played a little bit wirh the rule set. > > The following workflow to reproduce my Problem: > > I have a portal page wich is registered to the SSID GAST-Dont-Use-It (It's > my testing WLAN). > I have a rule set for checking certificates (EAP-TLS) and for the SSID > "Fraunhofer-PF" which is my Internal WLAN. > > If I connect a client, which is currently unregistered in PF to my GAST > WLAN, pf is presenting the portal and I can login with an internal user > which has assigned the role "guest". > After that, the vlan is changing from registration VLAN to my Guest VLAN. > Everything seems to be fine. > > Now, the client is connecting to Fraunhofer-PF, ok looks good, the 802.1x > auth works and the vlan changes to my internal VLAN Now I move the > client back to the guest WiFI. In the PF interface (Auditing) I can see > that a news radius request is coming into PF, but PF sends back the > "Internal" VLAN not the registration VLAN :( > > Source and Role doesn't change to guest. > > > Gruß > Tobias > > > 2016-09-27 22:44 GMT+02:00 Tobias Friede : > >> >> Hi Antoine, >> >>> There is a reevaluate happening every time a user connect to a SSID as >>> long as there is a new RADIUS request coming in. >>> >> that's what I expected. My Aerohive and my Cisco WLC of course send a >> news Radius request... But pf doesn't reevaluate the acces, the old rule >> from the first connection persists. >> >>> Now for what you want to do, you could create a set of rules in your >>> source of authentication, AD I presume, and use the condition SSID. Send >>> back the role guest if the SSID is guest, or apply your normal rules if the >>> SSID is internal. >>> >> Yes, I have a rule for my WPA2 encrypted Wifi with 802.1x auth (no I >> don't use AD Auth, I use our client certificates from our Windows CA and >> make a EAP-TLS Authentification.) >> In that rule, I defined the appropriate SSID. >> >> currently I use the Internal Database for guest Users, but how can I >> configure a rule with internal users? Is it the "Legacy Source"? When I try >> to edit that rule, I get the following message: >> "Error! The file is not readable." >> >> >> Greetings >> Tobias >> >> On 09/21/2016 05:46 AM, Tobias Friede wrote: >>> >>> Hi, >>> >>> is it possible to reevaluate acces everytime, a client/user make a >>> reconnect on our wifi? >>> >>> >>> Greetings >>> Tobias >>> >>> 2016-09-02 11:36 GMT+02:00 Tobias Friede : >>> Hi, No one with an Idea how to fix my problem? Or is it better to use two packetfence servers, one for internal authentification and one for hotspot services? Greetings Tobias 2016-09-01 9:20 GMT+02:00 Tobias Friede : > Hi, > > I have the following problem. I have 2 SSIDs: > Guest and Internal. > > The Guest WiFi is OPEN an just secured with a captive page. The > internal is secured wit 802.1x EAP-TLS > If a user connects to the guest wifi and log in with a guest account, > our Aerohive APS and Cisco WLC will move them to the correct vLAN. > Everything seems to be fine. Unregistration via PF interface works > fine too, so CoA is working. > > But If a user moves to the internal WiFi, the VLAN doesn't change back > to the internal vLAN. > The client still remains in guest VLAN, I think, because the client is > registered for the guest user account. > Is there any solution to solve this? > > > > Greetings > Tobias >>> >>> >>> >>> -- >>> >>> >>> >>> ___ >>> PacketFence-users mailing >>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> -- >>> Antoine amacheraamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 >>> :: +1 (866) 353-6153 x130 >>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence >>> (www.packetfence.org) >>> >>> >>> >>> -- >>> >>> ___ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >> > -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net
Re: [PacketFence-users] Reregister if SSID is changing
Hi, today I played a little bit wirh the rule set. The following workflow to reproduce my Problem: I have a portal page wich is registered to the SSID GAST-Dont-Use-It (It's my testing WLAN). I have a rule set for checking certificates (EAP-TLS) and for the SSID "Fraunhofer-PF" which is my Internal WLAN. If I connect a client, which is currently unregistered in PF to my GAST WLAN, pf is presenting the portal and I can login with an internal user which has assigned the role "guest". After that, the vlan is changing from registration VLAN to my Guest VLAN. Everything seems to be fine. Now, the client is connecting to Fraunhofer-PF, ok looks good, the 802.1x auth works and the vlan changes to my internal VLAN Now I move the client back to the guest WiFI. In the PF interface (Auditing) I can see that a news radius request is coming into PF, but PF sends back the "Internal" VLAN not the registration VLAN :( Source and Role doesn't change to guest. Gruß Tobias 2016-09-27 22:44 GMT+02:00 Tobias Friede: > > Hi Antoine, > >> There is a reevaluate happening every time a user connect to a SSID as >> long as there is a new RADIUS request coming in. >> > that's what I expected. My Aerohive and my Cisco WLC of course send a > news Radius request... But pf doesn't reevaluate the acces, the old rule > from the first connection persists. > >> Now for what you want to do, you could create a set of rules in your >> source of authentication, AD I presume, and use the condition SSID. Send >> back the role guest if the SSID is guest, or apply your normal rules if the >> SSID is internal. >> > Yes, I have a rule for my WPA2 encrypted Wifi with 802.1x auth (no I don't > use AD Auth, I use our client certificates from our Windows CA and make a > EAP-TLS Authentification.) > In that rule, I defined the appropriate SSID. > > currently I use the Internal Database for guest Users, but how can I > configure a rule with internal users? Is it the "Legacy Source"? When I try > to edit that rule, I get the following message: > "Error! The file is not readable." > > > Greetings > Tobias > > On 09/21/2016 05:46 AM, Tobias Friede wrote: >> >> Hi, >> >> is it possible to reevaluate acces everytime, a client/user make a >> reconnect on our wifi? >> >> >> Greetings >> Tobias >> >> 2016-09-02 11:36 GMT+02:00 Tobias Friede : >> >>> Hi, >>> >>> No one with an Idea how to fix my problem? >>> Or is it better to use two packetfence servers, one for internal >>> authentification and one for hotspot services? >>> >>> Greetings >>> Tobias >>> >>> 2016-09-01 9:20 GMT+02:00 Tobias Friede : >>> > Hi, >>> > >>> > I have the following problem. I have 2 SSIDs: >>> > Guest and Internal. >>> > >>> > The Guest WiFi is OPEN an just secured with a captive page. The >>> > internal is secured wit 802.1x EAP-TLS >>> > If a user connects to the guest wifi and log in with a guest account, >>> > our Aerohive APS and Cisco WLC will move them to the correct vLAN. >>> > Everything seems to be fine. Unregistration via PF interface works >>> > fine too, so CoA is working. >>> > >>> > But If a user moves to the internal WiFi, the VLAN doesn't change back >>> > to the internal vLAN. >>> > The client still remains in guest VLAN, I think, because the client is >>> > registered for the guest user account. >>> > Is there any solution to solve this? >>> > >>> > >>> > >>> > Greetings >>> > Tobias >>> >> >> >> >> -- >> >> >> >> ___ >> PacketFence-users mailing >> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> -- >> Antoine amacheraamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 >> :: +1 (866) 353-6153 x130 >> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence >> (www.packetfence.org) >> >> >> >> -- >> >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> > -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Reregister if SSID is changing
Hi Antoine, > There is a reevaluate happening every time a user connect to a SSID as > long as there is a new RADIUS request coming in. > that's what I expected. My Aerohive and my Cisco WLC of course send a news Radius request... But pf doesn't reevaluate the acces, the old rule from the first connection persists. > Now for what you want to do, you could create a set of rules in your > source of authentication, AD I presume, and use the condition SSID. Send > back the role guest if the SSID is guest, or apply your normal rules if the > SSID is internal. > Yes, I have a rule for my WPA2 encrypted Wifi with 802.1x auth (no I don't use AD Auth, I use our client certificates from our Windows CA and make a EAP-TLS Authentification.) In that rule, I defined the appropriate SSID. currently I use the Internal Database for guest Users, but how can I configure a rule with internal users? Is it the "Legacy Source"? When I try to edit that rule, I get the following message: "Error! The file is not readable." Greetings Tobias On 09/21/2016 05:46 AM, Tobias Friede wrote: > > Hi, > > is it possible to reevaluate acces everytime, a client/user make a > reconnect on our wifi? > > > Greetings > Tobias > > 2016-09-02 11:36 GMT+02:00 Tobias Friede: > >> Hi, >> >> No one with an Idea how to fix my problem? >> Or is it better to use two packetfence servers, one for internal >> authentification and one for hotspot services? >> >> Greetings >> Tobias >> >> 2016-09-01 9:20 GMT+02:00 Tobias Friede : >> > Hi, >> > >> > I have the following problem. I have 2 SSIDs: >> > Guest and Internal. >> > >> > The Guest WiFi is OPEN an just secured with a captive page. The >> > internal is secured wit 802.1x EAP-TLS >> > If a user connects to the guest wifi and log in with a guest account, >> > our Aerohive APS and Cisco WLC will move them to the correct vLAN. >> > Everything seems to be fine. Unregistration via PF interface works >> > fine too, so CoA is working. >> > >> > But If a user moves to the internal WiFi, the VLAN doesn't change back >> > to the internal vLAN. >> > The client still remains in guest VLAN, I think, because the client is >> > registered for the guest user account. >> > Is there any solution to solve this? >> > >> > >> > >> > Greetings >> > Tobias >> > > > > -- > > > > ___ > PacketFence-users mailing > listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Antoine amacheraamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 > :: +1 (866) 353-6153 x130 > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > > > -- > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Reregister if SSID is changing
Hello Tobias, There is a reevaluate happening every time a user connect to a SSID as long as there is a new RADIUS request coming in. Now for what you want to do, you could create a set of rules in your source of authentication, AD I presume, and use the condition SSID. Send back the role guest if the SSID is guest, or apply your normal rules if the SSID is internal. Let us know if that help. Thanks, On 09/21/2016 05:46 AM, Tobias Friede wrote: Hi, is it possible to reevaluate acces everytime, a client/user make a reconnect on our wifi? Greetings Tobias 2016-09-02 11:36 GMT+02:00 Tobias Friede>: Hi, No one with an Idea how to fix my problem? Or is it better to use two packetfence servers, one for internal authentification and one for hotspot services? Greetings Tobias 2016-09-01 9:20 GMT+02:00 Tobias Friede >: > Hi, > > I have the following problem. I have 2 SSIDs: > Guest and Internal. > > The Guest WiFi is OPEN an just secured with a captive page. The > internal is secured wit 802.1x EAP-TLS > If a user connects to the guest wifi and log in with a guest account, > our Aerohive APS and Cisco WLC will move them to the correct vLAN. > Everything seems to be fine. Unregistration via PF interface works > fine too, so CoA is working. > > But If a user moves to the internal WiFi, the VLAN doesn't change back > to the internal vLAN. > The client still remains in guest VLAN, I think, because the client is > registered for the guest user account. > Is there any solution to solve this? > > > > Greetings > Tobias -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Reregister if SSID is changing
Hi, No one with an Idea how to fix my problem? Or is it better to use two packetfence servers, one for internal authentification and one for hotspot services? Greetings Tobias 2016-09-01 9:20 GMT+02:00 Tobias Friede: > Hi, > > I have the following problem. I have 2 SSIDs: > Guest and Internal. > > The Guest WiFi is OPEN an just secured with a captive page. The > internal is secured wit 802.1x EAP-TLS > If a user connects to the guest wifi and log in with a guest account, > our Aerohive APS and Cisco WLC will move them to the correct vLAN. > Everything seems to be fine. Unregistration via PF interface works > fine too, so CoA is working. > > But If a user moves to the internal WiFi, the VLAN doesn't change back > to the internal vLAN. > The client still remains in guest VLAN, I think, because the client is > registered for the guest user account. > Is there any solution to solve this? > > > > Greetings > Tobias -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Reregister if SSID is changing
Hi, I have the following problem. I have 2 SSIDs: Guest and Internal. The Guest WiFi is OPEN an just secured with a captive page. The internal is secured wit 802.1x EAP-TLS If a user connects to the guest wifi and log in with a guest account, our Aerohive APS and Cisco WLC will move them to the correct vLAN. Everything seems to be fine. Unregistration via PF interface works fine too, so CoA is working. But If a user moves to the internal WiFi, the VLAN doesn't change back to the internal vLAN. The client still remains in guest VLAN, I think, because the client is registered for the guest user account. Is there any solution to solve this? Greetings Tobias -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users