Hello, everyone! At the company where I work, we are experimenting PacketFence as a captive portal to our Wi-Fi networks, we want to clear up some doubts. First of all, congratulations for the great NAC solution!
Nowadays we have two Wi-Fi networks in production: - Corporative Wi-Fi, authenticating against MS Active Directory, managed by pfSense - Patients Wi-Fi, authenticating against a hospital information system (HIS) we use, managed by a MikroTik RouterBOARD In the future, we want to offer a third Wi-Fi network to visitors that eventually come to a conference, congress, lecture, etc. (events in general) We have downloaded and installed PacketFence ZEN and set it up to manage by inline enforcement two test networks we made to simulate our Corporative and Patients Wi-Fi networks. They are already authenticating, the basic captive portal functionality is working and that is great. We want to use PacketFence to manage all of our Wi-Fi networks. But before putting PacketFence into production, we would like to ask some things: 1) We have noticed that if we connect to the Corporative Wi-Fi and authenticate through the captive portal, then disconnect and connect to the Patients Wi-Fi, its captive portal is not shown and access to that second network is granted. In the end, the device is shown on the Nodes table with an IP Address from the Patients network, but Role = Corporative. Enabling the option Reauthenticate node (Should have to reauthenticate the node if vlan change) in Configuration > Main > Inline did not help. Is there any way we could enforce reauthentication if the user exits one network and enters another? 2) For employees that reach the captive portal and don't remember their username and/or password, we would like to allow access to a page on our website where they can reset their password. I found PacketFence has an option called passthrough: https://packetfence.org/support/faq/article/how-do-i-let-users-trapped-in-registration-or-isolation-reach-certain-websites-passthrough.html?no_cache=1 But following those instructions I was not able to allow access of unauthenticated users to the reset password page. Also, I tried to edit the iptables.conf file, as suggested here, with no success: https://sites.google.com/site/ricedavida/home/packetfence-with-failover Changing the Passthrough options in Configuration, Main, Trapping did not help either. Is it actually possible to do what I want using PacketFence? Are those instructions up-to-date? 3) Could PacketFence disconnect users by inactivity? pfSense, for instance, has two settings: - Idle timeout: Clients will be disconnected after this amount of inactivity. They may log in again immediately, though. Leave this field blank for no idle timeout. - Hard timeout: Clients will be disconnected after this amount of time, regardless of activity. They may log in again immediately, though. Leave this field blank for no hard timeout (not recommended unless an idle timeout is set). In PacketFence, I found the Access duration setting, which seems to me similar to the Hard timeout setting of pfSense. Is there any Idle timeout setting in PacketFence? 4) How long is a DHCP lease given by PacketFence? Can I manage that? 5) Is PacketFence capable of blocking some devices by MAC address, or allowing some devices (by MAC address) to use Wi-Fi networks without authenticating? 6) Can we restrict the amount of bandwith consumed by devices of a given role on a per-device basis and/or on a per-network basis? Can we see which devices are consuming more bandwith? 7) Is PacketFence able to authenticate users using vouchers, as pfSense does? We plan to authenticate the Events Wi-Fi against random tickets generated right before and just for the event and distributed among visitors. Thank you very much for your attention! Antonio ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
