> If they can't bring the DHCP traffic to PF, how about bringing PF to > the DHCP traffic? If their site security policy will not let them add > another interface to their PF server that connects to the DMZ, could > they add another (independent) PF server on the DMZ just to handle > guests???
Unless I am quite mistaken, adding a PF server in the DMZ would not give PF access to the all-important DHCP packets. By the design he mentions the connections are tunnelled to the DMZ by the internal WLC so even if you had a PF server listening to the DMZ interface on the FW (which should in theory see EVERYTHING) the packets would be obfuscated and not usable by PF. The simplest solution seems to be moving the DHCP service to another device (PF can do it if you like). Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Arthur Emerson [[email protected]] Sent: Monday, November 03, 2014 2:24 PM To: [email protected] Subject: Re: [PacketFence-users] Portal access from a guest anchor controller in DMZ On Nov 3, 2014, at 2:44 PM, Sallee, Jake <[email protected]> wrote: > > The key really is the DHCP, since your APs are most likely in central > switching mode the data is tunnelled from the AP to the WLC so you cannot > even sniff the traffic on the inside WLC... I'm not giving up, but you do > have a head scratcher. If they can't bring the DHCP traffic to PF, how about bringing PF to the DHCP traffic? If their site security policy will not let them add another interface to their PF server that connects to the DMZ, could they add another (independent) PF server on the DMZ just to handle guests??? -Arthur ------------------------------------------------------------------------- Arthur Emerson III Email: [email protected] Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave. Fax: (845) 562-6762 Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11 ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
