I don't know about others but the diagram looks fine to me. If the traffic was not tunnelled then this would be much easier ... the problem is that PF NEEDS to see the DHCP packets and since your WLC is providing DHCP inside a tunnelled connection the packets that would normally be broadcast and therefore visible by PF are not.
I run a few WLC's as well, but I do not use them for DHCP ... ... I will have to think about this one ... The key really is the DHCP, since your APs are most likely in central switching mode the data is tunnelled from the AP to the WLC so you cannot even sniff the traffic on the inside WLC... I'm not giving up, but you do have a head scratcher. All the rest of your questions can be solved by some straight forward routing and firewall ACLs (allowing access to the PF portal, what IP to give the portal, etc.) But your DHCP is a complete black box to PF and while it is running on the WLC I am not sure how you can get the necessary info to PF. You may want to engage TAC on this one. But don't expect too much, Cisco is pretty much breaking all NAC compatibility in favor of ISE. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Christopher Mielke [[email protected]] Sent: Monday, November 03, 2014 10:45 AM To: [email protected] Subject: Re: [PacketFence-users] Portal access from a guest anchor controller in DMZ I have no idea how the formatting will look in various email clients. It looked good in notepad and will hopefully help...or, it will be a garbled mess. -------- | Client | -------- | | ------------- ----------- | LAN |-------| PF Server | 10.x.x.x ------------- ----------- | | --------- | LAN WLC | Client connects to AP on this controller --------- | | | | | | <---Wireless session tunneled to DMZ controller | | | | | | ---------- | --------- | | \/ | | | Firewall |--------------| DMZ WLC | WLC Serves DHCP (192.168.x.x). Client traffic originates from here. | |--------------| | ---------- RADIUS to PF --------- | | ---------- | Internet | ---------- Thanks, _______________________________________ Chris Mielke | Lead, ISS Network Systems Drake Technology Services (DTS) | Drake University T 515.271.4640 E [email protected] ________________________________________ From: Sallee, Jake <[email protected]> Sent: Monday, November 03, 2014 9:57 AM To: [email protected] Subject: Re: [PacketFence-users] Portal access from a guest anchor controller in DMZ That's a pretty neat setup. I am having a little bit of trouble visualizing it though. Would it be possible for you to post a simple (and sanitized) diagram? I think I know what you are asking about but I want to make sure. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Christopher Mielke [[email protected]] Sent: Monday, November 03, 2014 9:15 AM To: [email protected] Subject: [PacketFence-users] Portal access from a guest anchor controller in DMZ I am trying to set up PacketFence for guest wireless users so they can register via email or SMS. I was able to get this working on a test network with a very simple design where the vlan was locally reachable by both the wireless controller and the PacketFence server. However, in production we have a different setup with multiple Cisco 5508 controllers running 7.6.130.0. A couple controllers are on the LAN and another is outside a firewall in a DMZ. The controller in the DMZ operates as a guest anchor controller, so clients connecting to the guest SSID have their traffic tunneled from the controllers on the LAN to the controller on the DMZ. In this way, client traffic is originated from the DMZ. This works great using the Cisco captive portal, but we want to transition to PacketFence in order to provide self-service guest wireless registrations with unique credentials. I have created a test SSID according to the instructions for ³Wireless LAN Controller (WLC) Web Auth² on pages 79-83 of the Network Devices Configuration Guide and have opened up RADIUS traffic from the DMZ controller to the PacketFence server. The Web Auth setup made sense in the test network with a local VLAN, but I¹m not sure how to get this working with a guest anchor controller. The guest controller provides DHCP services for the clients and since it is in a DMZ, there is no place to provide an ³ip helper² address to forward DHCP info to the PacketFence server. Maybe this isn¹t necessary with the Web Auth model. Also, I¹m not sure what to use as a captive portal address. Should I just create a registration vlan and point to the PacketFence address on that VLAN. Originally, I was trying to point this to the management IP address of the PacketFence server, but that does not seem to be working. Also, do I need to set up a routed registration vlan so PacketFence recognizes that clients with IP addresses from the DMZ need to be registered? Does anyone else have this type of setup working? Any help would be greatly appreciated. Thanks, _______________________________________ Chris Mielke | Lead, ISS Network Systems Drake Technology Services (DTS) | Drake University T 515.271.4640 E [email protected] ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
