Jake,
Wrix is short for Wireless Roaming Intermediary eXchange.
Think of it as Metadata for wireless hotspot.
At the moment we only store this information we do not do anything
useful with.
You can find out more here.
http://www.wballiance.com/resource-center/specifications/
James Rouzier
[email protected] :: +1.514.755.3630 :: http://www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://www.packetfence.org)
On 2014-06-25, 11:17 AM, Sallee, Jake wrote:
Fabrice:
I have the dev branch up and running but I cant seem to find the VLan filter
you mentioned, can you elaborate a bit on that so I can do some testing?
Also, what the heck is WRIX? when I try to look it up on google I just come
back with a bunch of stuff about some radio station and I am fairly sure that
is not right.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________________
From: Fabrice DURAND [[email protected]]
Sent: Wednesday, June 18, 2014 1:26 PM
To: [email protected]
Subject: Re: [PacketFence-users] VLAN filter in PF 4.3 :FORMERLY: Cisco WLC,
Private and Public WLANs
Hi Jake,
you can play with devel which is very close to the 4.3 release.
Fabrice
Le 2014-06-18 14:09, Sallee, Jake a écrit :
Fabrice:
That sounds great and exactly what I am looking for. Do you have an ETA for
4.3, and is there a beta I can play with? : )
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________________
From: Durand fabrice [[email protected]]
Sent: Tuesday, June 17, 2014 4:58 PM
To: [email protected]
Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs
In fact each time pf receive per example a new radius request it try to
test the rules and if it match then it return the role.
The problem with reévaluate is if the source you define in the secure
portal profile (Active Directory) is not the same as defined in the
guest portal profile (email).
Imagine on the secure you have a active directory source and if your
group membership is staff then we return the staff vlan role.
Now you go on the open ssid and you have to reévaluate but on which
source ? Email ? your device has never been registered by email so we
can´t reévaluate.
One option should be unreg the device if you come from another ssid or
it can be is the source i have used to reg my device is available on
this portal profile ? Yes -> reévaluate, No -> Unreg the device.
It´s not really simple and the workflow can be very different for each
customer.
So it´s why we did valn filter to allow the network admin to make is own
rules.
Fabrice
Le 2014-06-17 17:43, Sallee, Jake a écrit :
That sounds great!
However, will that role be re-evaluated on every connection? That seems to be
the sticking point.
>From the example you gave it looks like it hooks into the GetNormalVlanForNode
method in which case it would get re-eval'ed on every connection which is exactly
what we would like. I just want to make sure I am reading it correctly.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________________
From: Durand fabrice [[email protected]]
Sent: Tuesday, June 17, 2014 4:21 PM
To: [email protected]
Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs
Hi all,
in the incoming 4.3 release we introduce vlan filter, the goal of this
feature is to remove a part of the custom code from vlan/custom.pm to a
configuration file.
An example is better than a complex explanation.
https://github.com/inverse-inc/packetfence/blob/devel/conf/vlan_filters.conf.example
So with that you can easily force the role to guest on the open ssid
even if you have been reg on the secure ssid with the staff role.
Regards
Fabrice
Le 2014-06-17 17:09, Sallee, Jake a écrit :
I think the cleanest solution would be to have the roles re-evaluated on each
connection. Otherwise I think what you are doing is probably the way to do it.
***TO THE PF DEVS***
What is the reasoning behind never re-evaluating the roles assigned to a user?
Is the process particularly resource intensive? If the roles were evaluated on
every connection it could make the role mechanic much more powerful.
For example: I never want anyone on my unencrypted wifi to be on the
administrative vlan. I could set a rule that makes the role of anyone who
connects to that SSID to my untrusted vlan. The next time that person hit my
encrypted wifi they would then be given the vlan their credentials say they
should be on.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: Lupe Silva [[email protected]]
Sent: Tuesday, June 17, 2014 3:29 PM
To: [email protected]
Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs
Thanks for the reply.
Yes, a re-evaluation would have been good. I did have rules in my sources to
define rules on SSID, but like you said, it did not re-evaluate.
However, after a day of digging through the PF code, I have made a few changes
and got something to work.
1) I changed my WLC radius configuration "Acct Call Station ID Type" and "Auth Call Station ID Type" to
"AP MAC Address:SSID" and "MAC Delimiter" to "Colon". With this change I am now getting SSID info
from WLC into PF.
2) I added extra perl code to vlan.pm<http://vlan.pm> (I will move it to vlan
custom) that evaluates the SSID when the connection type is WIRELESS_MAC_AUTH. If
the SSID is the guest ID and the current role of the node is not isolation or is not
registration, then return the role of guest.
It is working I would like now.
Although I have made the code changes and modifications, is/was there another
way to do this?
Lupe
Lupe Silva
On Tue, Jun 17, 2014 at 12:29 PM, Sallee, Jake
<[email protected]<mailto:[email protected]>> wrote:
What it sounds like is you want the user's role to be re-evaluated on every
connection, right?
How are you assigning the role now?
In the sources config, do you have a rule that assigns the role based on the
SSID?
I don't know if the rules in your sources config get evaluated every time (it
would be nice) and I also don't know if the rules are first-match-exit or
fall-through. But it seems like a good place to start.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU<http://WWW.UMHB.EDU>
900 College St.
Belton, Texas
76513
Fone: 254-295-4658<tel:254-295-4658>
Phax: 254-295-4221<tel:254-295-4221>
________________________________
From: Lupe Silva [[email protected]<mailto:[email protected]>]
Sent: Tuesday, June 17, 2014 10:14 AM
To:
[email protected]<mailto:[email protected]>
Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs
Thanks for the response.
My objective is as follows:
One private SSID for staff and students that uses WPA2/802.1X that assigns to
the vlan according to their role. We have Active Directory and with this
setup, users only need to log into their workstations and their roles will be
assigned accordingly.
I want a separate public SSID for guests. Using the PF Docs, i am creating an
open wlan with mac filtering. I want the guests to use PF portal to give us
their name, email, etc to register their device and then they would only have
access to guest network.
Right now PF sets the vlans on the WLC (again per the PF documentation).
I have the SSID's working as expected, however, the issue occurs when a machine
is initially registered as a staff or student roll, then (although this should
not happen), if a user were to switch their SSID from the the private SSID to
the public SSID, they will get the vlan assigned to their roll they got when
registered on the private SSID. So, they are using the public SSID with no
encryption accessing our internal resources.
Lupe Silva
On Tue, Jun 17, 2014 at 7:52 AM, Sallee, Jake
<[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>
wrote:
-----SNIP-----
Right now as it stands, if a users chooses the private SSID, and authenticates,
they are sent to the appropriate. VLAN (staff or student). If that users then
chooses the public SSID, they will go there fine still on their appropriate
vlan they had registered with earlier, but in a wide open WLAN. Is this how
it should happen?
-----/SNIP-----
Can you elaborate on this a bit? Are the users supposed to be on a different
vlan for the public ssid? If so, how are you setting that vlan? Is it through
PF or on the WLC?
I am also running PF through a 5508 but with a slightly different setup. I am
using a single ssid but assigning different vlans based on user roles and
credentials.
I will be AFK for a bit but I will respond as soon as I can when I see your
response.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU<http://WWW.UMHB.EDU><http://WWW.UMHB.EDU>
900 College St.
Belton, Texas
76513
Fone: 254-295-4658<tel:254-295-4658><tel:254-295-4658<tel:254-295-4658>>
Phax: 254-295-4221<tel:254-295-4221><tel:254-295-4221<tel:254-295-4221>>
________________________________
From: Lupe Silva
[[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>]
Sent: Monday, June 16, 2014 6:57 PM
To:
[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>
Subject: [PacketFence-users] Cisco WLC, Private and Public WLANs
I have PacketFence working with my Cisco WLC 5508 with both a private and
public SSID. as per instructions. The private uses 802.1x authentication with
WPA2. The public open will use PF portal to get users registered.
I basically have 3 vlan, staff, students and guest (plus registration and
isolation) with the two SSID's, private and public.
Right now as it stands, if a users chooses the private SSID, and authenticates,
they are sent to the appropriate. VLAN (staff or student). If that users then
chooses the public SSID, they will go there fine still on their appropriate
vlan they had registered with earlier, but in a wide open WLAN. Is this how
it should happen?
Since PF and the CISCO WLC do not sent SSID back and forth, is there a way to
configure the public SSID so it can only have access to the public VLAN (and
registration and isolation)? If a device was registered as guest or staff, I
would like it to change its registration to guest so it will not compromise
security.
Thanks in advance.
Lupe Silva
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
