Re: [PacketFence-users] Reregister if SSID is changing

2016-10-07 Thread Tobias Friede 
Hi,

ok, I can't solve it by myself, so I have ordered a Support Contract.
I hope Inverse can help me :D

If I get a solution, I will post it here :)


Greetings
Tobias

2016-09-28 9:58 GMT+02:00 Tobias Friede :

> Hi,
>
> today I played a little bit wirh the rule set.
>
> The following workflow to reproduce my Problem:
>
> I have a portal page wich is registered to the SSID GAST-Dont-Use-It (It's
> my testing WLAN).
> I have a rule set for checking certificates (EAP-TLS) and for the SSID
> "Fraunhofer-PF" which is my Internal WLAN.
>
> If I connect a client, which is currently unregistered in PF to my GAST
> WLAN, pf is presenting the portal and I can login with an internal user
> which has assigned the role "guest".
> After that, the vlan is changing from registration VLAN to my Guest VLAN.
> Everything seems to be fine.
>
> Now, the client is connecting to Fraunhofer-PF, ok looks good, the 802.1x
> auth works and the vlan changes to my internal VLAN Now I move the
> client back to the guest WiFI. In the PF interface (Auditing) I can see
> that a news radius request is coming into PF, but PF sends back the
> "Internal" VLAN not the registration VLAN :(
>
> Source and Role doesn't change to guest.
>
>
> Gruß
> Tobias
>
>
> 2016-09-27 22:44 GMT+02:00 Tobias Friede :
>
>>
>> Hi Antoine,
>>
>>> There is a reevaluate happening every time a user connect to a SSID as
>>> long as there is a new RADIUS request coming in.
>>>
>>  that's what I expected. My Aerohive and my Cisco WLC of course send a
>> news Radius request... But pf doesn't reevaluate the acces, the old rule
>> from the first connection persists.
>>
>>> Now for what you want to do, you could create a set of rules in your
>>> source of authentication, AD I presume, and use the condition SSID. Send
>>> back the role guest if the SSID is guest, or apply your normal rules if the
>>> SSID is internal.
>>>
>> Yes, I have a rule for my WPA2 encrypted Wifi with 802.1x auth (no I
>> don't use AD Auth, I use our client certificates from our Windows CA and
>> make a EAP-TLS Authentification.)
>> In that rule, I defined the appropriate SSID.
>>
>> currently I use the Internal Database for guest Users, but how can I
>> configure a rule with internal users? Is it the "Legacy Source"? When I try
>> to edit that rule, I get the following message:
>> "Error! The file is not readable."
>>
>>
>> Greetings
>> Tobias
>>
>> On 09/21/2016 05:46 AM, Tobias Friede wrote:
>>>
>>> Hi,
>>>
>>> is it possible to reevaluate acces everytime, a client/user make a
>>> reconnect on our wifi?
>>>
>>>
>>> Greetings
>>> Tobias
>>>
>>> 2016-09-02 11:36 GMT+02:00 Tobias Friede :
>>>
 Hi,

 No one with an Idea how to fix my problem?
 Or is it better to use two packetfence servers, one for internal
 authentification and one for hotspot services?

 Greetings
 Tobias

 2016-09-01 9:20 GMT+02:00 Tobias Friede :
 > Hi,
 >
 > I have the following problem. I have 2 SSIDs:
 > Guest and Internal.
 >
 > The Guest WiFi is OPEN an just secured with a captive page. The
 > internal is secured wit 802.1x EAP-TLS
 > If a user connects to the guest wifi and log in with a guest account,
 > our Aerohive APS and Cisco WLC will move them to the correct vLAN.
 > Everything seems to be fine. Unregistration via PF interface works
 > fine too, so CoA is working.
 >
 > But If a user moves to the internal WiFi, the VLAN doesn't change back
 > to the internal vLAN.
 > The client still remains in guest VLAN, I think, because the client is
 > registered for the guest user account.
 > Is there any solution to solve this?
 >
 >
 >
 > Greetings
 > Tobias

>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>> ___
>>> PacketFence-users mailing 
>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> --
>>> Antoine amacheraamac...@inverse.ca  ::  www.inverse.ca +1.514.447.4918 x130 
>>>  :: +1 (866) 353-6153 x130
>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
>>> (www.packetfence.org)
>>>
>>>
>>> 
>>> --
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] Reregister if SSID is changing

2016-09-28 Thread Tobias Friede 
Hi,

today I played a little bit wirh the rule set.

The following workflow to reproduce my Problem:

I have a portal page wich is registered to the SSID GAST-Dont-Use-It (It's
my testing WLAN).
I have a rule set for checking certificates (EAP-TLS) and for the SSID
"Fraunhofer-PF" which is my Internal WLAN.

If I connect a client, which is currently unregistered in PF to my GAST
WLAN, pf is presenting the portal and I can login with an internal user
which has assigned the role "guest".
After that, the vlan is changing from registration VLAN to my Guest VLAN.
Everything seems to be fine.

Now, the client is connecting to Fraunhofer-PF, ok looks good, the 802.1x
auth works and the vlan changes to my internal VLAN Now I move the
client back to the guest WiFI. In the PF interface (Auditing) I can see
that a news radius request is coming into PF, but PF sends back the
"Internal" VLAN not the registration VLAN :(

Source and Role doesn't change to guest.


Gruß
Tobias


2016-09-27 22:44 GMT+02:00 Tobias Friede :

>
> Hi Antoine,
>
>> There is a reevaluate happening every time a user connect to a SSID as
>> long as there is a new RADIUS request coming in.
>>
>  that's what I expected. My Aerohive and my Cisco WLC of course send a
> news Radius request... But pf doesn't reevaluate the acces, the old rule
> from the first connection persists.
>
>> Now for what you want to do, you could create a set of rules in your
>> source of authentication, AD I presume, and use the condition SSID. Send
>> back the role guest if the SSID is guest, or apply your normal rules if the
>> SSID is internal.
>>
> Yes, I have a rule for my WPA2 encrypted Wifi with 802.1x auth (no I don't
> use AD Auth, I use our client certificates from our Windows CA and make a
> EAP-TLS Authentification.)
> In that rule, I defined the appropriate SSID.
>
> currently I use the Internal Database for guest Users, but how can I
> configure a rule with internal users? Is it the "Legacy Source"? When I try
> to edit that rule, I get the following message:
> "Error! The file is not readable."
>
>
> Greetings
> Tobias
>
> On 09/21/2016 05:46 AM, Tobias Friede wrote:
>>
>> Hi,
>>
>> is it possible to reevaluate acces everytime, a client/user make a
>> reconnect on our wifi?
>>
>>
>> Greetings
>> Tobias
>>
>> 2016-09-02 11:36 GMT+02:00 Tobias Friede :
>>
>>> Hi,
>>>
>>> No one with an Idea how to fix my problem?
>>> Or is it better to use two packetfence servers, one for internal
>>> authentification and one for hotspot services?
>>>
>>> Greetings
>>> Tobias
>>>
>>> 2016-09-01 9:20 GMT+02:00 Tobias Friede :
>>> > Hi,
>>> >
>>> > I have the following problem. I have 2 SSIDs:
>>> > Guest and Internal.
>>> >
>>> > The Guest WiFi is OPEN an just secured with a captive page. The
>>> > internal is secured wit 802.1x EAP-TLS
>>> > If a user connects to the guest wifi and log in with a guest account,
>>> > our Aerohive APS and Cisco WLC will move them to the correct vLAN.
>>> > Everything seems to be fine. Unregistration via PF interface works
>>> > fine too, so CoA is working.
>>> >
>>> > But If a user moves to the internal WiFi, the VLAN doesn't change back
>>> > to the internal vLAN.
>>> > The client still remains in guest VLAN, I think, because the client is
>>> > registered for the guest user account.
>>> > Is there any solution to solve this?
>>> >
>>> >
>>> >
>>> > Greetings
>>> > Tobias
>>>
>>
>>
>>
>> --
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Antoine amacheraamac...@inverse.ca  ::  www.inverse.ca +1.514.447.4918 x130  
>> :: +1 (866) 353-6153 x130
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
>> (www.packetfence.org)
>>
>>
>> 
>> --
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reregister if SSID is changing

2016-09-27 Thread Tobias Friede 
Hi Antoine,

> There is a reevaluate happening every time a user connect to a SSID as
> long as there is a new RADIUS request coming in.
>
 that's what I expected. My Aerohive and my Cisco WLC of course send a news
Radius request... But pf doesn't reevaluate the acces, the old rule from
the first connection persists.

> Now for what you want to do, you could create a set of rules in your
> source of authentication, AD I presume, and use the condition SSID. Send
> back the role guest if the SSID is guest, or apply your normal rules if the
> SSID is internal.
>
Yes, I have a rule for my WPA2 encrypted Wifi with 802.1x auth (no I don't
use AD Auth, I use our client certificates from our Windows CA and make a
EAP-TLS Authentification.)
In that rule, I defined the appropriate SSID.

currently I use the Internal Database for guest Users, but how can I
configure a rule with internal users? Is it the "Legacy Source"? When I try
to edit that rule, I get the following message:
"Error! The file is not readable."


Greetings
Tobias

On 09/21/2016 05:46 AM, Tobias Friede wrote:
>
> Hi,
>
> is it possible to reevaluate acces everytime, a client/user make a
> reconnect on our wifi?
>
>
> Greetings
> Tobias
>
> 2016-09-02 11:36 GMT+02:00 Tobias Friede :
>
>> Hi,
>>
>> No one with an Idea how to fix my problem?
>> Or is it better to use two packetfence servers, one for internal
>> authentification and one for hotspot services?
>>
>> Greetings
>> Tobias
>>
>> 2016-09-01 9:20 GMT+02:00 Tobias Friede :
>> > Hi,
>> >
>> > I have the following problem. I have 2 SSIDs:
>> > Guest and Internal.
>> >
>> > The Guest WiFi is OPEN an just secured with a captive page. The
>> > internal is secured wit 802.1x EAP-TLS
>> > If a user connects to the guest wifi and log in with a guest account,
>> > our Aerohive APS and Cisco WLC will move them to the correct vLAN.
>> > Everything seems to be fine. Unregistration via PF interface works
>> > fine too, so CoA is working.
>> >
>> > But If a user moves to the internal WiFi, the VLAN doesn't change back
>> > to the internal vLAN.
>> > The client still remains in guest VLAN, I think, because the client is
>> > registered for the guest user account.
>> > Is there any solution to solve this?
>> >
>> >
>> >
>> > Greetings
>> > Tobias
>>
>
>
>
> --
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Antoine amacheraamac...@inverse.ca  ::  www.inverse.ca +1.514.447.4918 x130  
> :: +1 (866) 353-6153 x130
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
> (www.packetfence.org)
>
>
> 
> --
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reregister if SSID is changing

2016-09-26 Thread Antoine Amacher 

Hello Tobias,

There is a reevaluate happening every time a user connect to a SSID as 
long as there is a new RADIUS request coming in.


Now for what you want to do, you could create a set of rules in your 
source of authentication, AD I presume, and use the condition SSID. Send 
back the role guest if the SSID is guest, or apply your normal rules if 
the SSID is internal.


Let us know if that help.

Thanks,


On 09/21/2016 05:46 AM, Tobias Friede wrote:

Hi,

is it possible to reevaluate acces everytime, a client/user make a 
reconnect on our wifi?



Greetings
Tobias

2016-09-02 11:36 GMT+02:00 Tobias Friede >:


Hi,

No one with an Idea how to fix my problem?
Or is it better to use two packetfence servers, one for internal
authentification and one for hotspot services?

Greetings
Tobias

2016-09-01 9:20 GMT+02:00 Tobias Friede >:
> Hi,
>
> I have the following problem. I have 2 SSIDs:
> Guest and Internal.
>
> The Guest WiFi is OPEN an just secured with a captive page. The
> internal is secured wit 802.1x EAP-TLS
> If a user connects to the guest wifi and log in with a guest
account,
> our Aerohive APS and Cisco WLC will move them to the correct vLAN.
> Everything seems to be fine. Unregistration via PF interface works
> fine too, so CoA is working.
>
> But If a user moves to the internal WiFi, the VLAN doesn't
change back
> to the internal vLAN.
> The client still remains in guest VLAN, I think, because the
client is
> registered for the guest user account.
> Is there any solution to solve this?
>
>
>
> Greetings
> Tobias




--


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reregister if SSID is changing

2016-09-02 Thread Tobias Friede 
Hi,

No one with an Idea how to fix my problem?
Or is it better to use two packetfence servers, one for internal
authentification and one for hotspot services?

Greetings
Tobias

2016-09-01 9:20 GMT+02:00 Tobias Friede :
> Hi,
>
> I have the following problem. I have 2 SSIDs:
> Guest and Internal.
>
> The Guest WiFi is OPEN an just secured with a captive page. The
> internal is secured wit 802.1x EAP-TLS
> If a user connects to the guest wifi and log in with a guest account,
> our Aerohive APS and Cisco WLC will move them to the correct vLAN.
> Everything seems to be fine. Unregistration via PF interface works
> fine too, so CoA is working.
>
> But If a user moves to the internal WiFi, the VLAN doesn't change back
> to the internal vLAN.
> The client still remains in guest VLAN, I think, because the client is
> registered for the guest user account.
> Is there any solution to solve this?
>
>
>
> Greetings
> Tobias

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Reregister if SSID is changing

2016-09-01 Thread Tobias Friede 
Hi,

I have the following problem. I have 2 SSIDs:
Guest and Internal.

The Guest WiFi is OPEN an just secured with a captive page. The
internal is secured wit 802.1x EAP-TLS
If a user connects to the guest wifi and log in with a guest account,
our Aerohive APS and Cisco WLC will move them to the correct vLAN.
Everything seems to be fine. Unregistration via PF interface works
fine too, so CoA is working.

But If a user moves to the internal WiFi, the VLAN doesn't change back
to the internal vLAN.
The client still remains in guest VLAN, I think, because the client is
registered for the guest user account.
Is there any solution to solve this?



Greetings
Tobias

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users