Antonio,
>From what I got from Jack's email it looks quite straightforward.
Basically you need to edit your Portal Profiles, in each of them you go to
the "Filters" section and add a "VLAN" filter with the vlan you use for
that portal. Don't forget to change the option to ALL in "If all any of
the following conditions are met:"
This way only people on that specific VLAN will be able to use that profile.
The only problem I see with this scenario is, if the device is already
registered it will go through the portal profiles again?
On 19 January 2017 at 18:44, Antônio Vinícius <vinyanali...@gmail.com>
wrote:
> Thank you for your efforts, Derek.
>
> I applied your fix (I opened that file with a text editor and changed
> just that line, is that enough?), I reenabled that option, as you told
> me to do so, and tested that situation again (connect to the first
> network, authenticate through the captive portal, then disconnect and
> connect to the second network).
>
> The first time, it worked as expected. The captive portal of the
> second network was shown: login and password fields.
>
> But then, once authenticated on the second network, I did it the way
> back (I disconnected from the second network and connected to the
> first network), my cell phone notified me to login. When I clicked the
> notification and the browser opened, the captive portal of the first
> network showed me not the login and password fields, but a message
> like "Your network should be enabled within a minute or two. If it is
> not reboot your computer". And enabled my device. I believe the
> captive portal should present the login and password fields again.
>
> Then, I checked the Nodes tab on PacketFence, and my device ended up
> with an IP address from the first network, but a role from the second,
> similar to what happened before.
>
> I tested changing networks many times. It seems like now PacketFence
> does not behave the same way all the time: sometimes it shows me the
> login form, sometimes it says my network should be enabled within a
> minute or two (and then access to the network is granted), sometimes
> my cell phone does not even notify me about authentication and access
> is granted immediately.
>
> We don't believe that our users are going to really do something like
> that (e.g. connect to the Patients Wi-Fi, authenticate as a valid
> patient, then connect to the Corporative Wi-Fi and get access granted
> automatically, although not being a valid employee). But realizing
> that was possible made us concerned about security, so we ended up
> using two different servers to manage two Wi-Fi networks, but we would
> like to use just PacketFence, if that problem gets solved.
>
> I'm going to try Jake's suggestion, but I did not understand it
> completely. Maybe I would need a howto. As I said, I already setup
> Network filters on the Portal Profiles configuration screen. Shouldn't
> that be sufficient?
>
> Thank you again!
>
>
> 2017-01-16 15:52 GMT-02:00 Derek Wuelfrath <dwuelfr...@inverse.ca>:
> >
> > Antonio,
> >
> > So I tested the flow described and discovered a code issue when it comes
> to the IP reevaluation workflow.
> > I opened an issue (https://github.com/inverse-
> inc/packetfence/issues/1963) and fixed it with the commit id (
> https://github.com/inverse-inc/packetfence/commit/
> 73ab8151017d49e1006f5f8bc37bbf401a69cb1f)
> >
> > Please try to apply that fix to your setup, reenable the “Reauthenticate
> node” configuration parameter under Configuration > Inline and let me know
> if that works.
> >
> > Cheers!
> > -dw.
> >
> > --
> > Derek Wuelfrath
> > de...@inverse.ca
> > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
> >
> > On Jan 13, 2017, at 17:01, viny <vinyanali...@gmail.com> wrote:
> >
> > In principle, in the hospital where I work, what we wanted was to use
> > PacketFence to manage both of our wireless networks, as I reported
> > here: https://sourceforge.net/p/packetfence/mailman/message/35511813/
> >
> > Unless you configure PacketFence otherwise [...]
> >
> >
> > We would like to configure PacketFence so that it automatically
> > unregisters any node that leaves a first network and enters a second
> > one, showing that node the second network's captive portal so it must
> > register again to use the second network. But we don't know how to
> > achieve that. Do you have any idea on how to do it?
> >
> > If you could shed some light on that problem, we would be very
> > thankful. We could shutdown pfSense and use only PacketFence.
> >
> > Let me explain our setup.
> >
> > In our first experiment with PacketFence, we have set up its interfaces
> > this way:
> >
> > - eth0: Management
> > - eth0 VLAN ID 500: Inline Layer 2, IP address 10.100.32.1/20
> > - eth0 VLAN ID 600: Inline Layer 2, IP address 10.100.64.1/20
> >
> > And we have set up Ubiquiti APs to serve two wireless networks:
> >
> > (1) SSID Corporative Wi-Fi: VLAN ID 500
> > (2) SSID Patients Wi-Fi: VLAN ID 600
> >
> > Following the Administration Guide, in PacketFence:
> >
> > - We have created two user roles: (1) Employee and (2) Patient
> > - We have added two authentication sources: (1) Active Directory with a
> > rule so that Role = Employee and (2) external HTTP API with a rule so
> > that Role = Patient
> > - We have created two portal profiles: (1) Employee, with a filter
> > Network = 10.100.32.0/20 and Source = Active Directory and (2) Patient
> > with a filter Network = 10.100.64.0/20 and Source = external HTTP API
> >
> > So, what happens? (let me retype the relevant portion of my first
> > email)
> >
> > We have noticed that if we connect to the Corporative Wi-Fi and
> >
> > authenticate through the captive portal, then disconnect and connect
> > to the Patients Wi-Fi, its captive portal is not shown and access to
> > that second network is granted. In the end, the device is shown on the
> > Nodes table with an IP Address from the Patients network, but Role =
> > Corporative.
> >
> >
> > Enabling the option Reauthenticate node (Should have to reauthenticate
> >
> > the node if vlan change) in Configuration > Main > Inline did not
> > help.
> >
> >
> > Is there any way we could enforce reauthentication if the user exits
> >
> > one network and enters another?
> >
> > Thank you in advance!
> >
> >
> > Antonio
> >
> >
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
José Duarte, *IT-Event Manager*
http://www.eslgaming.com
*Turtle eSports Technology GmbH*
Siegburger Str. 189 | 50679 Cologne, Germany
Managing Directors: Marcel Menge, Dr. Andreas Walker
Register Court: Local Court Cologne, HRB 63288
http://www.esl-tech.com
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
