Fabrice: I have the dev branch up and running but I cant seem to find the VLan filter you mentioned, can you elaborate a bit on that so I can do some testing?
Also, what the heck is WRIX? when I try to look it up on google I just come back with a bunch of stuff about some radio station and I am fairly sure that is not right. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Fabrice DURAND [[email protected]] Sent: Wednesday, June 18, 2014 1:26 PM To: [email protected] Subject: Re: [PacketFence-users] VLAN filter in PF 4.3 :FORMERLY: Cisco WLC, Private and Public WLANs Hi Jake, you can play with devel which is very close to the 4.3 release. Fabrice Le 2014-06-18 14:09, Sallee, Jake a écrit : > Fabrice: > > That sounds great and exactly what I am looking for. Do you have an ETA > for 4.3, and is there a beta I can play with? : ) > > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > ________________________________________ > From: Durand fabrice [[email protected]] > Sent: Tuesday, June 17, 2014 4:58 PM > To: [email protected] > Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs > > In fact each time pf receive per example a new radius request it try to > test the rules and if it match then it return the role. > > The problem with reévaluate is if the source you define in the secure > portal profile (Active Directory) is not the same as defined in the > guest portal profile (email). > Imagine on the secure you have a active directory source and if your > group membership is staff then we return the staff vlan role. > Now you go on the open ssid and you have to reévaluate but on which > source ? Email ? your device has never been registered by email so we > can´t reévaluate. > One option should be unreg the device if you come from another ssid or > it can be is the source i have used to reg my device is available on > this portal profile ? Yes -> reévaluate, No -> Unreg the device. > It´s not really simple and the workflow can be very different for each > customer. > So it´s why we did valn filter to allow the network admin to make is own > rules. > > Fabrice > > > > Le 2014-06-17 17:43, Sallee, Jake a écrit : >> That sounds great! >> >> However, will that role be re-evaluated on every connection? That seems to >> be the sticking point. >> >> >From the example you gave it looks like it hooks into the >> >GetNormalVlanForNode method in which case it would get re-eval'ed on every >> >connection which is exactly what we would like. I just want to make sure I >> >am reading it correctly. >> >> >> Jake Sallee >> Godfather of Bandwidth >> System Engineer >> University of Mary Hardin-Baylor >> WWW.UMHB.EDU >> >> 900 College St. >> Belton, Texas >> 76513 >> >> Fone: 254-295-4658 >> Phax: 254-295-4221 >> >> ________________________________________ >> From: Durand fabrice [[email protected]] >> Sent: Tuesday, June 17, 2014 4:21 PM >> To: [email protected] >> Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs >> >> Hi all, >> >> in the incoming 4.3 release we introduce vlan filter, the goal of this >> feature is to remove a part of the custom code from vlan/custom.pm to a >> configuration file. >> An example is better than a complex explanation. >> >> https://github.com/inverse-inc/packetfence/blob/devel/conf/vlan_filters.conf.example >> >> So with that you can easily force the role to guest on the open ssid >> even if you have been reg on the secure ssid with the staff role. >> >> Regards >> Fabrice >> >> Le 2014-06-17 17:09, Sallee, Jake a écrit : >>> I think the cleanest solution would be to have the roles re-evaluated on >>> each connection. Otherwise I think what you are doing is probably the way >>> to do it. >>> >>> ***TO THE PF DEVS*** >>> >>> What is the reasoning behind never re-evaluating the roles assigned to a >>> user? Is the process particularly resource intensive? If the roles were >>> evaluated on every connection it could make the role mechanic much more >>> powerful. >>> >>> For example: I never want anyone on my unencrypted wifi to be on the >>> administrative vlan. I could set a rule that makes the role of anyone who >>> connects to that SSID to my untrusted vlan. The next time that person hit >>> my encrypted wifi they would then be given the vlan their credentials say >>> they should be on. >>> >>> Jake Sallee >>> Godfather of Bandwidth >>> System Engineer >>> University of Mary Hardin-Baylor >>> WWW.UMHB.EDU >>> >>> 900 College St. >>> Belton, Texas >>> 76513 >>> >>> Fone: 254-295-4658 >>> Phax: 254-295-4221 >>> ________________________________ >>> From: Lupe Silva [[email protected]] >>> Sent: Tuesday, June 17, 2014 3:29 PM >>> To: [email protected] >>> Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs >>> >>> Thanks for the reply. >>> >>> Yes, a re-evaluation would have been good. I did have rules in my sources >>> to define rules on SSID, but like you said, it did not re-evaluate. >>> >>> However, after a day of digging through the PF code, I have made a few >>> changes and got something to work. >>> 1) I changed my WLC radius configuration "Acct Call Station ID Type" and >>> "Auth Call Station ID Type" to "AP MAC Address:SSID" and "MAC Delimiter" to >>> "Colon". With this change I am now getting SSID info from WLC into PF. >>> >>> 2) I added extra perl code to vlan.pm<http://vlan.pm> (I will move it to >>> vlan custom) that evaluates the SSID when the connection type is >>> WIRELESS_MAC_AUTH. If the SSID is the guest ID and the current role of the >>> node is not isolation or is not registration, then return the role of guest. >>> >>> It is working I would like now. >>> >>> Although I have made the code changes and modifications, is/was there >>> another way to do this? >>> >>> Lupe >>> >>> >>> >>> Lupe Silva >>> >>> >>> >>> On Tue, Jun 17, 2014 at 12:29 PM, Sallee, Jake >>> <[email protected]<mailto:[email protected]>> wrote: >>> What it sounds like is you want the user's role to be re-evaluated on every >>> connection, right? >>> >>> How are you assigning the role now? >>> >>> In the sources config, do you have a rule that assigns the role based on >>> the SSID? >>> >>> I don't know if the rules in your sources config get evaluated every time >>> (it would be nice) and I also don't know if the rules are first-match-exit >>> or fall-through. But it seems like a good place to start. >>> >>> Jake Sallee >>> Godfather of Bandwidth >>> System Engineer >>> University of Mary Hardin-Baylor >>> WWW.UMHB.EDU<http://WWW.UMHB.EDU> >>> >>> 900 College St. >>> Belton, Texas >>> 76513 >>> >>> Fone: 254-295-4658<tel:254-295-4658> >>> Phax: 254-295-4221<tel:254-295-4221> >>> ________________________________ >>> From: Lupe Silva [[email protected]<mailto:[email protected]>] >>> Sent: Tuesday, June 17, 2014 10:14 AM >>> To: >>> [email protected]<mailto:[email protected]> >>> Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs >>> >>> Thanks for the response. >>> My objective is as follows: >>> One private SSID for staff and students that uses WPA2/802.1X that assigns >>> to the vlan according to their role. We have Active Directory and with >>> this setup, users only need to log into their workstations and their roles >>> will be assigned accordingly. >>> >>> I want a separate public SSID for guests. Using the PF Docs, i am creating >>> an open wlan with mac filtering. I want the guests to use PF portal to >>> give us their name, email, etc to register their device and then they >>> would only have access to guest network. >>> >>> Right now PF sets the vlans on the WLC (again per the PF documentation). >>> >>> I have the SSID's working as expected, however, the issue occurs when a >>> machine is initially registered as a staff or student roll, then (although >>> this should not happen), if a user were to switch their SSID from the the >>> private SSID to the public SSID, they will get the vlan assigned to their >>> roll they got when registered on the private SSID. So, they are using the >>> public SSID with no encryption accessing our internal resources. >>> >>> >>> >>> Lupe Silva >>> >>> >>> >>> On Tue, Jun 17, 2014 at 7:52 AM, Sallee, Jake >>> <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> >>> wrote: >>> -----SNIP----- >>> Right now as it stands, if a users chooses the private SSID, and >>> authenticates, they are sent to the appropriate. VLAN (staff or student). >>> If that users then chooses the public SSID, they will go there fine still >>> on their appropriate vlan they had registered with earlier, but in a wide >>> open WLAN. Is this how it should happen? >>> -----/SNIP----- >>> >>> Can you elaborate on this a bit? Are the users supposed to be on a >>> different vlan for the public ssid? If so, how are you setting that vlan? >>> Is it through PF or on the WLC? >>> >>> I am also running PF through a 5508 but with a slightly different setup. I >>> am using a single ssid but assigning different vlans based on user roles >>> and credentials. >>> >>> I will be AFK for a bit but I will respond as soon as I can when I see your >>> response. >>> >>> Jake Sallee >>> Godfather of Bandwidth >>> System Engineer >>> University of Mary Hardin-Baylor >>> WWW.UMHB.EDU<http://WWW.UMHB.EDU><http://WWW.UMHB.EDU> >>> >>> 900 College St. >>> Belton, Texas >>> 76513 >>> >>> Fone: 254-295-4658<tel:254-295-4658><tel:254-295-4658<tel:254-295-4658>> >>> Phax: 254-295-4221<tel:254-295-4221><tel:254-295-4221<tel:254-295-4221>> >>> ________________________________ >>> From: Lupe Silva >>> [[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>] >>> Sent: Monday, June 16, 2014 6:57 PM >>> To: >>> [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> >>> Subject: [PacketFence-users] Cisco WLC, Private and Public WLANs >>> >>> I have PacketFence working with my Cisco WLC 5508 with both a private and >>> public SSID. as per instructions. The private uses 802.1x authentication >>> with WPA2. The public open will use PF portal to get users registered. >>> >>> I basically have 3 vlan, staff, students and guest (plus registration and >>> isolation) with the two SSID's, private and public. >>> >>> Right now as it stands, if a users chooses the private SSID, and >>> authenticates, they are sent to the appropriate. VLAN (staff or student). >>> If that users then chooses the public SSID, they will go there fine still >>> on their appropriate vlan they had registered with earlier, but in a wide >>> open WLAN. Is this how it should happen? >>> >>> Since PF and the CISCO WLC do not sent SSID back and forth, is there a way >>> to configure the public SSID so it can only have access to the public VLAN >>> (and registration and isolation)? If a device was registered as guest or >>> staff, I would like it to change its registration to guest so it will not >>> compromise security. >>> >>> Thanks in advance. >>> >>> >>> Lupe Silva >>> >>> >>> ------------------------------------------------------------------------------ >>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions >>> Find What Matters Most in Your Big Data with HPCC Systems >>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. >>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration >>> http://p.sf.net/sfu/hpccsystems >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> ------------------------------------------------------------------------------ >>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions >>> Find What Matters Most in Your Big Data with HPCC Systems >>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. >>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration >>> http://p.sf.net/sfu/hpccsystems >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected]<mailto:[email protected]> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> ------------------------------------------------------------------------------ >>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions >>> Find What Matters Most in Your Big Data with HPCC Systems >>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. >>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration >>> http://p.sf.net/sfu/hpccsystems >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> ------------------------------------------------------------------------------ >> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions >> Find What Matters Most in Your Big Data with HPCC Systems >> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. >> Leverages Graph Analysis for Fast Processing & Easy Data Exploration >> http://p.sf.net/sfu/hpccsystems >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> ------------------------------------------------------------------------------ >> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions >> Find What Matters Most in Your Big Data with HPCC Systems >> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. >> Leverages Graph Analysis for Fast Processing & Easy Data Exploration >> http://p.sf.net/sfu/hpccsystems >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
