We recently rolled out PF 3.6.0 on our 500+ AP Meru wireless network, and are now in the process of deploying it on wired ports in a dozen dormitory buildings. VLAN switching via CustomVLAN and user categories has been working great, and users are able to register their devices using AD credentials perfectly. PF is replacing an in-house Linux-based device registration system that I cobbled together about 10 years ago, and so far everyone is happy with the way that it is working.
My one disappointment so far is that the registration skip_mode feature seems to have been lost since back at V1.6 or so, despite the admin web interface still having all of the settings and categories as if it was still there and working. Searching through the list archives, it does come up every once in a while but doesn't seem to be a popular feature that jumps to the top of the project's to-do list. On the developers list, Olivier Bilodeau suggested a hack that was similar to what I was thinking that added a button to the registration portal that registered the device with a near-future unregister date/time. He noted that it would require more code to prevent the user from using the skip feature again once the time expired. Someone who works here came from an organization where their NAC system allowed guests to skip registration for a defined near-term period, but nagged them to register every few hours. If they didn't register by the end of their grace period, they were sent to the registration page with no option to skip it. The goal is to provide basic guest VLAN access to one-day visitors (like a guest speaker), but not provide free ISP services to the neighborhood with "permanent" guests that just keep skipping every time their access expires. Stepping back a few feet, the above sounds more like it would be better handled as a violation event rather than a registration event. The logic behind the bandwidth overage violation seems almost perfect, except that it doesn't present a registration screen. Has anyone else successfully implemented a feature like this? Is there another feature in PF that might provide a cleaner solution? On a related note, our unregistered network has historically had hundreds of unregistered devices camping on it. Many are cell phones that people carry into our airspace configured to automatically connect to any SSID they see, and the owners never open a web browser or try to register them. Has anyone come up with an automated way to send these nodes to a dead VLAN after not registering for so long? I don't think that it would be too complex to script a cron job to tag them with a violation and registered to a bogus PF user account used for these hosts, but wanted to know if there is a better way. Just looking for suggestions for how others are handling these issues before I start attacking the code with custom hacks for fixes that may have already have already been solved with existing tools inside PF. Thanks for any pointers you can provide... -Arthur ------------------------------------------------------------------------- Arthur Emerson III Email: emer...@msmc.edu Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave. Fax: (845) 562-6762 Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11 ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712 _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
