[prev in list] [next in list] [prev in thread] [next in thread]
List: packetfence-users
Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment
From: Ludovic Zammit via PacketFence-users <packetfence-users () lists ! sourceforge ! net>
Date: 2020-10-30 19:44:22
Message-ID: 4A618A43-B7E8-4D56-8BAB-C9AB414CBCAE () inverse ! ca
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
I will break down quickly the PacketFence involvement in both most popular \
authentication.
WiFi:
RADIUS EAP PEAP MSCHAPv2:
- Device submitting EAP Identity
- AP receiving that info transmitting it to the controller
- Controller sends the radius authentication to PF
- PF receives it and process he RADIUS authentication sending a NTLM request to the \
AD
- AD says ok
- RADIUS authentication successful
- PacketFence process now the Authorization, grabs the username from the previous \
authentication and now it checks for sources (LDAP) connection profile to do a match \
on a source and return a ROLE and an ACCESS DURATION
- PacketFence checks where you connect from, grab the VLAN id that matches the role \
you just got
- PacketFence sends the RADIUS Access Accept packet with the Authorization inside
- Device asks for DHCP in that retuned VLAN
RADIUS Mac-authentication:
- Device connects on the SSID
- AP forward the RADIUS authentication to PF
- PF checks your status, if unreg = registration VLAN for that switch IP or status \
reg = VLAN for that role.
- If you are not register, you get the registration VLAN
- Device asks for IP in the registration network, do a HTTP request and get \
redirected on the captive portal
- PacketFence checks for Filters on the connection profiles in order to display the \
correct portal.You submit you identity, as soon you submit a valid identity on the \
portal, PacketFence sends a disconnect request to the controller for you to get your \
new access
- Device reconnects automatically, thus triggering a new RADIUS request
- PF: status = reg = VLAN prod
- Device get an IP address in the prod/ guest VLAN.
On a connection profile, you can also match on a switch group/ switch and combine all \
the filter.
Thanks,
Ludovic Zammit
lzammit@inverse.ca <mailto:lzammit@inverse.ca> :: +1.514.447.4918 (x145) :: \
www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo \
(http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org \
<http://packetfence.org/>)
> On Oct 30, 2020, at 2:31 PM, <ypefti@gmail.com> <ypefti@gmail.com> wrote:
>
> Actually it was your hint about device registration that clicked and made me check \
> my connection profile. Still, it ALWAYS helps to ask questions and read answers \
> and advices very carefully 😉
> Ludovic, please guide me through the connection profile creation for public WiFi \
> with captive portal for guests. Just high level and mostly hints, like what modules \
> are involved. I did everything as advised here on Unifi side
>
> https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_ubiquiti_2 \
> <https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_ubiquiti_2>
>
> But there are gaps in understanding of what to do on PacketFence side
> I created/cloned the external authentication source for SMS based registration and \
> included only Canadian cellular operators I'm reusing the same switch group that \
> includes Unifi APs, under "Role by VLAN ID" I put a VLAN ID 20 to guest, but I \
> suspect this is wrong
> As far as I understand it, I need to create a condition for PacketFence to help it \
> differentiate if the authentication comes via WebAuth and not Wireless-802.11-EAP. \
> Is this where the connection profile comes into place ?
> Eugene
>
>
> From: Ludovic Zammit <lzammit@inverse.ca>
> Sent: Friday, October 30, 2020 11:11 AM
> To: ypefti@gmail.com
> Cc: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment
>
> The logs don't lie ;-)
>
> Thanks,
>
> Ludovic Zammit
> lzammit@inverse.ca <mailto:lzammit@inverse.ca> :: +1.514.447.4918 (x145) :: \
> www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo \
> (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org \
> <http://packetfence.org/>)
>
>
>
>
> > On Oct 30, 2020, at 2:00 PM, <ypefti@gmail.com <mailto:ypefti@gmail.com>> \
> > <ypefti@gmail.com <mailto:ypefti@gmail.com>> wrote:
> > That's what I missed, namely the connection profile for devices registration \
> > wasn't enabled. Thank you, Ludovic!
> >
> > From: Ludovic Zammit <lzammit@inverse.ca <mailto:lzammit@inverse.ca>>
> > Sent: Friday, October 30, 2020 10:24 AM
> > To: ypefti@gmail.com <mailto:ypefti@gmail.com>
> > Cc: packetfence-users@lists.sourceforge.net \
> > <mailto:packetfence-users@lists.sourceforge.net>
> > Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment
> >
> > If you node has: status = registered and a role, PacketFence would return the \
> > VLAN for the role from the switch (inherited configuration from switch groups or \
> > not).
> > Do an authentication and send the logs.packetfence.log.
> >
> > Thanks,
> >
> > Ludovic Zammit
> > lzammit@inverse.ca <mailto:lzammit@inverse.ca> :: +1.514.447.4918 (x145) :: \
> > www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo \
> > (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence \
> > (http://packetfence.org <http://packetfence.org/>)
> >
> >
> >
> >
> >
> >
> > > On Oct 30, 2020, at 1:14 PM, <ypefti@gmail.com <mailto:ypefti@gmail.com>> \
> > > <ypefti@gmail.com <mailto:ypefti@gmail.com>> wrote:
> > > Hi Ludovic,
> > > Thanks for looking into it.
> > > My search through packetfence.log didn't produce any matches for the specific \
> > > MAC address. Let me paraphrase my question. The group of switches (or rather \
> > > Wireless AP) has a list of roles. The top is registration with VLAN 2. Then go \
> > > three more, i.e. isolation, macDetection, inline and reject. Only then do I \
> > > have Staff role with VLAN 10. I don't have a way to change this order and my \
> > > attempt to assign VLAN 10 to registration was reversed after I restarted \
> > > PacketFence services. Essentially RADIUS assigns by default VLAN 2 which is \
> > > against my logic and design. I don't have registration and isolation \
> > > interfaces/VLANs. It is pure dot1x/RADIUS authentication via management \
> > > interface
> > > Eugene
> > >
> > > From: Ludovic Zammit <lzammit@inverse.ca <mailto:lzammit@inverse.ca>>
> > > Sent: Friday, October 30, 2020 4:47 AM
> > > To: packetfence-users@lists.sourceforge.net \
> > > <mailto:packetfence-users@lists.sourceforge.net>
> > > Cc: ypefti@gmail.com <mailto:ypefti@gmail.com>
> > > Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment
> > >
> > > Hello Eugene,
> > >
> > > The answer is in your logs.
> > >
> > > grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log
> > >
> > > Thanks,
> > >
> > > Ludovic Zammit
> > > lzammit@inverse.ca <mailto:lzammit@inverse.ca> :: +1.514.447.4918 (x145) :: \
> > > www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo \
> > > (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence \
> > > (http://packetfence.org <http://packetfence.org/>)
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > > On Oct 29, 2020, at 3:15 PM, ypefti--- via PacketFence-users \
> > > > <packetfence-users@lists.sourceforge.net \
> > > > <mailto:packetfence-users@lists.sourceforge.net>> wrote:
> > > > Folks,
> > > > Can someone help me identify what I'm missing.
> > > > My authentication session goes through but the endpoint that connects to WAP \
> > > > (Unifi) never gets an IP address. I investigated it and see that RADIUS \
> > > > assigns the wrong VLAN to the connection. This is what I see in the live \
> > > > session log
> > > > Oct 29 12:04:29 packetfence auth[1201]: [mac:18:81:0e:7c:3c:ed] Accepted \
> > > > user: it.tech <http://it.tech/> and returned VLAN 2
> > > > But my authentication source has a rule with an action to set the Role Staff \
> > > > which is defined with a specific VLAN 10 VLAN 2 on the contrary is assigned \
> > > > to a registration role which I'm not using at the moment. My short term goal \
> > > > is dot1x WiFi authentication with RADIUS assigned VLAN.
> > > > Eugene
> > > >
> > > > _______________________________________________
> > > > PacketFence-users mailing list
> > > > PacketFence-users@lists.sourceforge.net \
> > > > <mailto:PacketFence-users@lists.sourceforge.net> \
> > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users \
> > > > <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html; \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
line-break: after-white-space;" class="">Hello,<div class=""><br class=""></div><div \
class="">I will break down quickly the PacketFence involvement in both most popular \
authentication.</div><div class=""><br class=""></div><div class="">WiFi:</div><div \
class=""><br class=""></div><div class="">RADIUS EAP PEAP MSCHAPv2:</div><div \
class=""><br class=""></div><div class="">- Device submitting EAP Identity</div><div \
class="">- AP receiving that info transmitting it to the controller</div><div \
class="">- Controller sends the radius authentication to PF</div><div class="">- PF \
receives it and process he RADIUS authentication sending a NTLM request to the \
AD</div><div class="">- AD says ok</div><div class="">- RADIUS authentication \
successful</div><div class="">- PacketFence process now the Authorization, grabs the \
username from the previous authentication and now it checks for sources (LDAP) \
connection profile to do a match on a source and return a ROLE and an ACCESS \
DURATION</div><div class="">- PacketFence checks where you connect from, grab the \
VLAN id that matches the role you just got</div><div class="">- PacketFence sends the \
RADIUS Access Accept packet with the Authorization inside</div><div class="">- Device \
asks for DHCP in that retuned VLAN</div><div class=""><br class=""></div><div \
class="">RADIUS Mac-authentication:</div><div class=""><br class=""></div><div \
class="">- Device connects on the SSID</div><div class="">- AP forward the RADIUS \
authentication to PF</div><div class="">- PF checks your status, if unreg = \
registration VLAN for that switch IP or status reg = VLAN for that role.</div><div \
class="">- If you are not register, you get the registration VLAN</div><div \
class="">- Device asks for IP in the registration network, do a HTTP request and get \
redirected on the captive portal</div><div class="">- PacketFence checks for Filters \
on the connection profiles in order to display the correct portal.You submit you \
identity, as soon you submit a valid identity on the portal, PacketFence sends a \
disconnect request to the controller for you to get your new access</div><div \
class="">- Device reconnects automatically, thus triggering a new RADIUS \
request</div><div class="">- PF: status = reg = VLAN prod</div><div class="">- Device \
get an IP address in the prod/ guest VLAN.</div><div class=""><br class=""></div><div \
class="">On a connection profile, you can also match on a switch group/ switch and \
combine all the filter.</div><div class=""><br class=""></div><div \
class="">Thanks,</div><div class=""><div class=""> <div style="color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" \
class=""><pre class="moz-signature" cols="72"><br \
class="Apple-interchange-newline">Ludovic Zammit <a href="mailto:lzammit@inverse.ca" \
class="">lzammit@inverse.ca</a> :: +1.514.447.4918 (x145) :: <a \
class="moz-txt-link-abbreviated" href="http://www.inverse.ca">www.inverse.ca</a> \
Inverse inc. :: Leaders behind SOGo (<a class="moz-txt-link-freetext" \
href="http://www.sogo.nu">http://www.sogo.nu</a>) and PacketFence (<a \
class="moz-txt-link-freetext" \
href="http://packetfence.org">http://packetfence.org</a>) </pre><div class=""><br \
class=""></div></div><br style="color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class=""><br \
style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: \
normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; \
orphans: auto; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px;" class="">
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On Oct 30, 2020, at \
2:31 PM, <<a href="mailto:ypefti@gmail.com" class="">ypefti@gmail.com</a>> \
<<a href="mailto:ypefti@gmail.com" class="">ypefti@gmail.com</a>> \
wrote:</div><br class="Apple-interchange-newline"><div class=""><div \
class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0in 0in \
0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Actually it \
was your hint about device registration that clicked and made me check my connection \
profile.<span class="Apple-converted-space"> </span><o:p \
class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif;" class="">Still, it ALWAYS helps to ask questions \
and read answers and advices very carefully<span \
class="Apple-converted-space"> </span><span style="font-family: "Segoe UI \
Emoji", sans-serif;" class="">😉</span><o:p class=""></o:p></div><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" \
class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; \
font-size: 11pt; font-family: Calibri, sans-serif;" class="">Ludovic, please guide me \
through the connection profile creation for public WiFi with captive portal for \
guests.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: \
11pt; font-family: Calibri, sans-serif;" class="">Just high level and mostly hints, \
like what modules are involved.<o:p class=""></o:p></div><div style="margin: 0in 0in \
0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">I did \
everything as advised here on Unifi side<o:p class=""></o:p></div><div style="margin: \
0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p \
class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif;" class=""><a \
href="https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_ubiquiti_2" \
style="color: blue; text-decoration: underline;" \
class="">https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_ubiquiti_2</a><o:p \
class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" \
class="">But there are gaps in understanding of what to do on PacketFence side<o:p \
class=""></o:p></div><ol start="1" type="1" style="margin-bottom: 0in; margin-top: \
0in;" class=""><li class="MsoListParagraph" style="margin: 0in 0in 0.0001pt; \
font-size: 11pt; font-family: Calibri, sans-serif;">I created/cloned the external \
authentication source for SMS based registration and included only Canadian cellular \
operators<o:p class=""></o:p></li><li class="MsoListParagraph" style="margin: 0in 0in \
0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">I'm reusing the same \
switch group that includes Unifi APs, under "Role by VLAN ID" I put a VLAN ID 20 to \
guest, but I suspect this is wrong<o:p class=""></o:p></li></ol><div style="margin: \
0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p \
class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif;" class="">As far as I understand it, I need to \
create a condition for PacketFence to help it differentiate if the authentication \
comes via WebAuth and not Wireless-802.11-EAP. Is this where the connection profile \
comes into place ?<span class="Apple-converted-space"> </span><o:p \
class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" \
class="">Eugene<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; \
font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p \
class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div \
class=""><div style="border-style: solid none none; border-top-width: 1pt; \
border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" class=""><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" \
class=""><b class="">From:</b><span \
class="Apple-converted-space"> </span>Ludovic Zammit <<a \
href="mailto:lzammit@inverse.ca" class="">lzammit@inverse.ca</a>><span \
class="Apple-converted-space"> </span><br class=""><b class="">Sent:</b><span \
class="Apple-converted-space"> </span>Friday, October 30, 2020 11:11 AM<br \
class=""><b class="">To:</b><span class="Apple-converted-space"> </span><a \
href="mailto:ypefti@gmail.com" class="">ypefti@gmail.com</a><br class=""><b \
class="">Cc:</b><span \
class="Apple-converted-space"> </span>packetfence-users@lists.sourceforge.net<br \
class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: \
[PacketFence-users] Issues with roles and VLAN assignment<o:p \
class=""></o:p></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: \
11pt; font-family: Calibri, sans-serif;" class=""><o:p \
class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif;" class="">The logs don't lie ;-)<o:p \
class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: \
11pt; font-family: Calibri, sans-serif;" class=""><o:p \
class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; \
font-size: 11pt; font-family: Calibri, sans-serif;" class="">Thanks,<o:p \
class=""></o:p></div><div class=""><div class=""><div class=""><pre style="margin: \
0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";" \
class=""><span style="" class=""><br class="">Ludovic Zammit<o:p \
class=""></o:p></span></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; \
font-family: "Courier New";" class=""><span style="" class=""><a \
href="mailto:lzammit@inverse.ca" style="color: blue; text-decoration: underline;" \
class="">lzammit@inverse.ca</a> :: +1.514.447.4918 (x145) :: <a \
href="http://www.inverse.ca/" style="color: blue; text-decoration: underline;" \
class="">www.inverse.ca</a><o:p class=""></o:p></span></pre><pre style="margin: 0in \
0in 0.0001pt; font-size: 10pt; font-family: "Courier New";" class=""><span \
style="" class="">Inverse inc. :: Leaders behind SOGo (<a href="http://www.sogo.nu/" \
style="color: blue; text-decoration: underline;" class="">http://www.sogo.nu</a>) and \
PacketFence (<a href="http://packetfence.org/" style="color: blue; text-decoration: \
underline;" class="">http://packetfence.org</a>) <o:p \
class=""></o:p></span></pre><div class=""><div style="margin: 0in 0in 0.0001pt; \
font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: \
9pt; font-family: Helvetica, sans-serif;" class=""><o:p \
class=""> </o:p></span></div></div></div><div style="margin: 0in 0in 0.0001pt; \
font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: \
9pt; font-family: Helvetica, sans-serif;" class=""><br style="font-variant-caps: \
normal; text-align: start; -webkit-text-stroke-width: 0px; word-spacing: 0px;" \
class=""><br class=""></span><o:p class=""></o:p></div></div><div class=""><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" \
class=""><br class=""><br class=""><o:p class=""></o:p></div><blockquote \
style="margin-top: 5pt; margin-bottom: 5pt;" class="" type="cite"><div class=""><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" \
class="">On Oct 30, 2020, at 2:00 PM, <<a href="mailto:ypefti@gmail.com" \
style="color: blue; text-decoration: underline;" class="">ypefti@gmail.com</a>> \
<<a href="mailto:ypefti@gmail.com" style="color: blue; text-decoration: \
underline;" class="">ypefti@gmail.com</a>> wrote:<o:p \
class=""></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div \
class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif;" class="">That's what I missed, namely the \
connection profile for devices registration wasn't enabled.<o:p \
class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; \
font-size: 11pt; font-family: Calibri, sans-serif;" class="">Thank you, Ludovic!<o:p \
class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; \
font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p \
class=""></o:p></div></div><div class=""><div style="border-style: solid none none; \
border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" \
class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; \
font-family: Calibri, sans-serif;" class=""><b class="">From:</b><span \
class="apple-converted-space"> </span>Ludovic Zammit <<a \
href="mailto:lzammit@inverse.ca" style="color: blue; text-decoration: underline;" \
class="">lzammit@inverse.ca</a>><span \
class="apple-converted-space"> </span><br class=""><b class="">Sent:</b><span \
class="apple-converted-space"> </span>Friday, October 30, 2020 10:24 AM<br \
class=""><b class="">To:</b><span class="apple-converted-space"> </span><a \
href="mailto:ypefti@gmail.com" style="color: blue; text-decoration: underline;" \
class="">ypefti@gmail.com</a><br class=""><b class="">Cc:</b><span \
class="apple-converted-space"> </span><a \
href="mailto:packetfence-users@lists.sourceforge.net" style="color: blue; \
text-decoration: underline;" class="">packetfence-users@lists.sourceforge.net</a><br \
class=""><b class="">Subject:</b><span class="apple-converted-space"> </span>Re: \
[PacketFence-users] Issues with roles and VLAN assignment<o:p \
class=""></o:p></div></div></div></div><div class=""><div style="margin: 0in 0in \
0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p \
class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; \
font-size: 11pt; font-family: Calibri, sans-serif;" class="">If you node has: status \
= registered and a role, PacketFence would return the VLAN for the role from the \
switch (inherited configuration from switch groups or not).<o:p \
class=""></o:p></div></div><div class=""><div class=""><div style="margin: 0in 0in \
0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p \
class=""></o:p></div></div></div><div class=""><div class=""><div style="margin: 0in \
0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Do an \
authentication and send the logs.packetfence.log.<o:p \
class=""></o:p></div></div></div><div class=""><div class=""><div style="margin: 0in \
0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p \
class=""></o:p></div></div></div><div class=""><div class=""><div style="margin: 0in \
0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" \
class="">Thanks,<o:p class=""></o:p></div></div></div><div class=""><div \
class=""><div class=""><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; \
font-family: "Courier New";" class=""><br class="">Ludovic Zammit<o:p \
class=""></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; \
font-family: "Courier New";" class=""><a href="mailto:lzammit@inverse.ca" \
style="color: blue; text-decoration: underline;" class="">lzammit@inverse.ca</a> \
:: +1.514.447.4918 (x145) :: <a href="http://www.inverse.ca/" \
style="color: blue; text-decoration: underline;" class="">www.inverse.ca</a><o:p \
class=""></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; \
font-family: "Courier New";" class="">Inverse inc. :: Leaders behind SOGo \
(<a href="http://www.sogo.nu/" style="color: blue; text-decoration: underline;" \
class="">http://www.sogo.nu</a>) and PacketFence (<a href="http://packetfence.org/" \
style="color: blue; text-decoration: underline;" class="">http://packetfence.org</a>) \
<o:p class=""></o:p></pre><div class=""><div class=""><div style="margin: 0in 0in \
0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span \
style="font-size: 9pt; font-family: Helvetica, sans-serif;" \
class=""> </span><o:p class=""></o:p></div></div></div></div><div class=""><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" \
class=""><span style="font-size: 9pt; font-family: Helvetica, sans-serif;" \
class=""><br class=""><br class=""><br class=""></span><o:p \
class=""></o:p></div></div></div><div class=""><div class=""><div style="margin: 0in \
0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><br \
class=""><br class=""><br class=""><o:p class=""></o:p></div></div><blockquote \
style="margin-top: 5pt; margin-bottom: 5pt;" class="" type="cite"><div class=""><div \
class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, \
sans-serif;" class="">On Oct 30, 2020, at 1:14 PM, <<a \
href="mailto:ypefti@gmail.com" style="color: blue; text-decoration: underline;" \
class="">ypefti@gmail.com</a>> <<a href="mailto:ypefti@gmail.com" style="color: \
blue; text-decoration: underline;" class="">ypefti@gmail.com</a>> wrote:<o:p \
class=""></o:p></div></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; \
font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p \
class=""></o:p></div></div><div class=""><div class=""><div class=""><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" \
class="">Hi Ludovic,<o:p class=""></o:p></div></div></div><div class=""><div \
class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, \
sans-serif;" class="">Thanks for looking into it.<o:p \
class=""></o:p></div></div></div><div class=""><div class=""><div style="margin: 0in \
0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">My search \
through packetfence.log didn't produce any matches for the specific MAC address.<o:p \
class=""></o:p></div></div></div><div class=""><div class=""><div style="margin: 0in \
0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Let me \
paraphrase my question. The group of switches (or rather Wireless AP) has a list of \
roles.<o:p class=""></o:p></div></div></div><div class=""><div class=""><div \
style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" \
class="">The top is registration with VLAN 2. Then go three more, i.e. isolation, \
macDetection, inline and reject.<span class="apple-converted-space"> </span><o:p \
class=""></o:p></div></div></div><div class=""><div class=""><div style="margin: 0in \
0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Only then \
do I have Staff role with VLAN 10. I don't have a way to change this order and my \
attempt to assign VLAN 10 to registration was reversed after I restarted PacketFence \
services. Essentially RADIUS assigns by default VLAN 2 which is against my logic and \
design. I don't have registration and isolation interfaces/VLANs. It is pure \
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic