Question: Why stick with the captive portal solution built into your AP?
Typically the functionality of such things is very restricted while PF can
serve all of your needs in a single location.
If there are legitimate reasons for not using the PF captive portal that's
fine, just a question : ), no offense meant.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
From: Ian Ward [mailto:ian.w...@meraki.com]
Sent: Thursday, March 22, 2012 11:11 AM
To: packetfence-users@lists.sourceforge.net
Subject: [Packetfence-users] PacketFence at a Network Level
Greetings,
I have been reading through PacketFence documentation and I am working on
integrating the server with an existing AP deployment. I'd like to summarize
how the PF solution works for my own understanding, please correct me where I
am wrong. As far as I can tell the PF solution works by first doing a low level
Radius-Request message with the user's MAC address which the server then sends
back a RADIUS-Accept message (similar to machine auth on domain machines)
putting them on a LAN isolated subnet. The User is then redirected to the
captive portal interface of the PF server (the only place the isolated vlan can
get to) to scan for AV and take the client's username and password and checks a
backend directory service. Once the directory lookup returns success the PF
server prompts the AP to change the client's VLAN to the appropriate one and
they are then granted access to the network.
My question is this: Is there anyway I can disable the initial RADIUS
functionality that contains the client's MAC address. The reason I am asking is
because my AP solution already places the client device in a Captive Portal
with firewall rules on the AP (the client can only get to the captive portal
server), the LAN isolated subnet is redundant. Additionally the MAC address can
be stored on the AP controller and only prompt the user to re-authenticate with
the captive portal once the splash frequency expires(never?). I can also pass
the PF server the MAC address of the client with escaped parameters in the URL
redirect to the splash page server.
I am wondering if any has had experience disabling this functionality or any
thoughts on how else I might accomplish this? I feel like it is a doubling of
efforts to both place them in a LAN isolated subnet and have firewall rules on
the AP. Are my thoughts on how PF works at the packet level correct?
Any input would be helpful.
-Ian
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
