What it sounds like is you want the user's role to be re-evaluated on every connection, right?
How are you assigning the role now? In the sources config, do you have a rule that assigns the role based on the SSID? I don't know if the rules in your sources config get evaluated every time (it would be nice) and I also don't know if the rules are first-match-exit or fall-through. But it seems like a good place to start. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Lupe Silva [[email protected]] Sent: Tuesday, June 17, 2014 10:14 AM To: [email protected] Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs Thanks for the response. My objective is as follows: One private SSID for staff and students that uses WPA2/802.1X that assigns to the vlan according to their role. We have Active Directory and with this setup, users only need to log into their workstations and their roles will be assigned accordingly. I want a separate public SSID for guests. Using the PF Docs, i am creating an open wlan with mac filtering. I want the guests to use PF portal to give us their name, email, etc to register their device and then they would only have access to guest network. Right now PF sets the vlans on the WLC (again per the PF documentation). I have the SSID's working as expected, however, the issue occurs when a machine is initially registered as a staff or student roll, then (although this should not happen), if a user were to switch their SSID from the the private SSID to the public SSID, they will get the vlan assigned to their roll they got when registered on the private SSID. So, they are using the public SSID with no encryption accessing our internal resources. Lupe Silva On Tue, Jun 17, 2014 at 7:52 AM, Sallee, Jake <[email protected]<mailto:[email protected]>> wrote: -----SNIP----- Right now as it stands, if a users chooses the private SSID, and authenticates, they are sent to the appropriate. VLAN (staff or student). If that users then chooses the public SSID, they will go there fine still on their appropriate vlan they had registered with earlier, but in a wide open WLAN. Is this how it should happen? -----/SNIP----- Can you elaborate on this a bit? Are the users supposed to be on a different vlan for the public ssid? If so, how are you setting that vlan? Is it through PF or on the WLC? I am also running PF through a 5508 but with a slightly different setup. I am using a single ssid but assigning different vlans based on user roles and credentials. I will be AFK for a bit but I will respond as soon as I can when I see your response. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU<http://WWW.UMHB.EDU> 900 College St. Belton, Texas 76513 Fone: 254-295-4658<tel:254-295-4658> Phax: 254-295-4221<tel:254-295-4221> ________________________________ From: Lupe Silva [[email protected]<mailto:[email protected]>] Sent: Monday, June 16, 2014 6:57 PM To: [email protected]<mailto:[email protected]> Subject: [PacketFence-users] Cisco WLC, Private and Public WLANs I have PacketFence working with my Cisco WLC 5508 with both a private and public SSID. as per instructions. The private uses 802.1x authentication with WPA2. The public open will use PF portal to get users registered. I basically have 3 vlan, staff, students and guest (plus registration and isolation) with the two SSID's, private and public. Right now as it stands, if a users chooses the private SSID, and authenticates, they are sent to the appropriate. VLAN (staff or student). If that users then chooses the public SSID, they will go there fine still on their appropriate vlan they had registered with earlier, but in a wide open WLAN. Is this how it should happen? Since PF and the CISCO WLC do not sent SSID back and forth, is there a way to configure the public SSID so it can only have access to the public VLAN (and registration and isolation)? If a device was registered as guest or staff, I would like it to change its registration to guest so it will not compromise security. Thanks in advance. Lupe Silva ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
