Hello, with WLC Web auth you don´t need the dhcp traffic since we do a link between the radius request and the captive portal (it´s why you have a redirect url like http://192.168.0.1/cep1234 , 1234 is a session id that contain information about the device).
I remember with another client we did the same configuration and we defined define the mac-auth configuration on the DMZ WLC (normal radius server not freeradius) and the traffic was tunneled to the internal WLC. You probably have to defnie the 2 WLC in Packetfence switch configuration. Regards Fabrice Le 2014-11-03 15:48, Sallee, Jake a écrit : >> If they can't bring the DHCP traffic to PF, how about bringing PF to >> the DHCP traffic? If their site security policy will not let them add >> another interface to their PF server that connects to the DMZ, could >> they add another (independent) PF server on the DMZ just to handle >> guests??? > Unless I am quite mistaken, adding a PF server in the DMZ would not give PF > access to the all-important DHCP packets. By the design he mentions the > connections are tunnelled to the DMZ by the internal WLC so even if you had a > PF server listening to the DMZ interface on the FW (which should in theory > see EVERYTHING) the packets would be obfuscated and not usable by PF. > > The simplest solution seems to be moving the DHCP service to another device > (PF can do it if you like). > > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > ________________________________________ > From: Arthur Emerson [[email protected]] > Sent: Monday, November 03, 2014 2:24 PM > To: [email protected] > Subject: Re: [PacketFence-users] Portal access from a guest anchor controller > in DMZ > > On Nov 3, 2014, at 2:44 PM, Sallee, Jake <[email protected]> wrote: >> The key really is the DHCP, since your APs are most likely in central >> switching mode the data is tunnelled from the AP to the WLC so you cannot >> even sniff the traffic on the inside WLC... I'm not giving up, but you do >> have a head scratcher. > If they can't bring the DHCP traffic to PF, how about bringing PF to > the DHCP traffic? If their site security policy will not let them add > another interface to their PF server that connects to the DMZ, could > they add another (independent) PF server on the DMZ just to handle > guests??? > > -Arthur > > ------------------------------------------------------------------------- > Arthur Emerson III Email: [email protected] > Network Administrator InterNIC: AE81 > Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 > 330 Powell Ave. Fax: (845) 562-6762 > Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11 > > > ------------------------------------------------------------------------------ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
