That sounds great! However, will that role be re-evaluated on every connection? That seems to be the sticking point.
>From the example you gave it looks like it hooks into the GetNormalVlanForNode >method in which case it would get re-eval'ed on every connection which is >exactly what we would like. I just want to make sure I am reading it >correctly. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Durand fabrice [[email protected]] Sent: Tuesday, June 17, 2014 4:21 PM To: [email protected] Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs Hi all, in the incoming 4.3 release we introduce vlan filter, the goal of this feature is to remove a part of the custom code from vlan/custom.pm to a configuration file. An example is better than a complex explanation. https://github.com/inverse-inc/packetfence/blob/devel/conf/vlan_filters.conf.example So with that you can easily force the role to guest on the open ssid even if you have been reg on the secure ssid with the staff role. Regards Fabrice Le 2014-06-17 17:09, Sallee, Jake a écrit : > I think the cleanest solution would be to have the roles re-evaluated on each > connection. Otherwise I think what you are doing is probably the way to do > it. > > ***TO THE PF DEVS*** > > What is the reasoning behind never re-evaluating the roles assigned to a > user? Is the process particularly resource intensive? If the roles were > evaluated on every connection it could make the role mechanic much more > powerful. > > For example: I never want anyone on my unencrypted wifi to be on the > administrative vlan. I could set a rule that makes the role of anyone who > connects to that SSID to my untrusted vlan. The next time that person hit my > encrypted wifi they would then be given the vlan their credentials say they > should be on. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > ________________________________ > From: Lupe Silva [[email protected]] > Sent: Tuesday, June 17, 2014 3:29 PM > To: [email protected] > Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs > > Thanks for the reply. > > Yes, a re-evaluation would have been good. I did have rules in my sources to > define rules on SSID, but like you said, it did not re-evaluate. > > However, after a day of digging through the PF code, I have made a few > changes and got something to work. > 1) I changed my WLC radius configuration "Acct Call Station ID Type" and > "Auth Call Station ID Type" to "AP MAC Address:SSID" and "MAC Delimiter" to > "Colon". With this change I am now getting SSID info from WLC into PF. > > 2) I added extra perl code to vlan.pm<http://vlan.pm> (I will move it to vlan > custom) that evaluates the SSID when the connection type is > WIRELESS_MAC_AUTH. If the SSID is the guest ID and the current role of the > node is not isolation or is not registration, then return the role of guest. > > It is working I would like now. > > Although I have made the code changes and modifications, is/was there another > way to do this? > > Lupe > > > > Lupe Silva > > > > On Tue, Jun 17, 2014 at 12:29 PM, Sallee, Jake > <[email protected]<mailto:[email protected]>> wrote: > What it sounds like is you want the user's role to be re-evaluated on every > connection, right? > > How are you assigning the role now? > > In the sources config, do you have a rule that assigns the role based on the > SSID? > > I don't know if the rules in your sources config get evaluated every time (it > would be nice) and I also don't know if the rules are first-match-exit or > fall-through. But it seems like a good place to start. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU<http://WWW.UMHB.EDU> > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658<tel:254-295-4658> > Phax: 254-295-4221<tel:254-295-4221> > ________________________________ > From: Lupe Silva [[email protected]<mailto:[email protected]>] > Sent: Tuesday, June 17, 2014 10:14 AM > To: > [email protected]<mailto:[email protected]> > Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs > > Thanks for the response. > My objective is as follows: > One private SSID for staff and students that uses WPA2/802.1X that assigns to > the vlan according to their role. We have Active Directory and with this > setup, users only need to log into their workstations and their roles will be > assigned accordingly. > > I want a separate public SSID for guests. Using the PF Docs, i am creating > an open wlan with mac filtering. I want the guests to use PF portal to give > us their name, email, etc to register their device and then they would only > have access to guest network. > > Right now PF sets the vlans on the WLC (again per the PF documentation). > > I have the SSID's working as expected, however, the issue occurs when a > machine is initially registered as a staff or student roll, then (although > this should not happen), if a user were to switch their SSID from the the > private SSID to the public SSID, they will get the vlan assigned to their > roll they got when registered on the private SSID. So, they are using the > public SSID with no encryption accessing our internal resources. > > > > Lupe Silva > > > > On Tue, Jun 17, 2014 at 7:52 AM, Sallee, Jake > <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> > wrote: > -----SNIP----- > Right now as it stands, if a users chooses the private SSID, and > authenticates, they are sent to the appropriate. VLAN (staff or student). If > that users then chooses the public SSID, they will go there fine still on > their appropriate vlan they had registered with earlier, but in a wide open > WLAN. Is this how it should happen? > -----/SNIP----- > > Can you elaborate on this a bit? Are the users supposed to be on a different > vlan for the public ssid? If so, how are you setting that vlan? Is it > through PF or on the WLC? > > I am also running PF through a 5508 but with a slightly different setup. I > am using a single ssid but assigning different vlans based on user roles and > credentials. > > I will be AFK for a bit but I will respond as soon as I can when I see your > response. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU<http://WWW.UMHB.EDU><http://WWW.UMHB.EDU> > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658<tel:254-295-4658><tel:254-295-4658<tel:254-295-4658>> > Phax: 254-295-4221<tel:254-295-4221><tel:254-295-4221<tel:254-295-4221>> > ________________________________ > From: Lupe Silva > [[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>] > Sent: Monday, June 16, 2014 6:57 PM > To: > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> > Subject: [PacketFence-users] Cisco WLC, Private and Public WLANs > > I have PacketFence working with my Cisco WLC 5508 with both a private and > public SSID. as per instructions. The private uses 802.1x authentication with > WPA2. The public open will use PF portal to get users registered. > > I basically have 3 vlan, staff, students and guest (plus registration and > isolation) with the two SSID's, private and public. > > Right now as it stands, if a users chooses the private SSID, and > authenticates, they are sent to the appropriate. VLAN (staff or student). If > that users then chooses the public SSID, they will go there fine still on > their appropriate vlan they had registered with earlier, but in a wide open > WLAN. Is this how it should happen? > > Since PF and the CISCO WLC do not sent SSID back and forth, is there a way to > configure the public SSID so it can only have access to the public VLAN (and > registration and isolation)? If a device was registered as guest or staff, I > would like it to change its registration to guest so it will not compromise > security. > > Thanks in advance. > > > Lupe Silva > > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > PacketFence-users mailing list > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > PacketFence-users mailing list > [email protected]<mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
