Hi, Have you tried adding RADIUS as an additional daemon listening on the management interface?
Regards, Murilo Em ter, 19 de fev de 2019 04:11, Tony W via PacketFence-users < packetfence-users@lists.sourceforge.net> escreveu: > Hi Fabrice, > > Thank you for your help so far. > > My interface naming is all good, however, I am still having a small > issue understanding correctly. > > You indicate that I should make the management interface the one with > Internet access. > The management interface is also used to talk to my Ruckus controller. > > According to the documentation, I can only have 1 management interface. > > Example of what I am trying to do: > > Ruckus 802.1x Auth eth0 <--> PF eth1 - No Internet access > Registration (VLAN 10) eth0.10 --> PF eth1 - No Internet access > User inline (VLAN 11) eth0.11 --> PF eth1 - Internet Access > User inline (VLAN12) eth0.12 --> PF eth1 - Internet Access > User inline (VLAN13) eth0.13 --> PF eth1 - Internet Access > --- > eth1 = - Management - Public IP address > > The Ruckus controller will do the 802.1x auth and radius in PF will > give the correct VLAN to Ruckus on successful auth and the visitor > will end up in the assigned VLAN. > > I can not get my head around getting the Ruckus controller to talk to > the management interface when that is assigned to eth1. > Something is missing in my understanding. I guess I am thinking > traditional NAT/Firewall with 2 interfaces. > I prefer management VLAN to be un-tagged and on eth0, not on eth1. > Internet access should be on eth1. > I have 2 more interfaces so I could let the Ruckus (And other > equipment) use one of those (eth2 and eth3) > > Sorry to be asking this again.... > > Tony > > > On Tue, 19 Feb 2019 at 01:20, Fabrice Durand via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > > > Hello Tony, > > > > Le 19-02-17 à 23 h 22, Tony W via PacketFence-users a écrit : > > > Hi Fabrice, > > > > > > Thank you for that. > > > > > > So for PF, set 1 external interface (WAN) with Internet access (Inline) > > No a management one with internet access > > > Then set at least 1 internal interface (LAN) with VLAN's, say 10 for > SSID, > > > 11, 12, 13, 14....for the users to be allocated to once authenticated. > > 11,12,13,14 as inline > > > > > > I do not need (Or want) Internet access on VLAN 10, only DHCP for the > > > client devices. > > So 10 is a registration interface. > > > When the client device successfully authenticates, the client traffic > > > will go to the > > > selected/allocated VLAN (11, 12, 13 or ....) and be given new IP > > > addresses by DHCP. > > It's what an inline interface do. > > > It is no big deal regarding people being on the initial VLAN 10 as not > > > many will be there at any one time. > > The registration interface on the vlan 10 will have short lease time, by > > default we set it to 30s. > > > > > > Just a quick question specific to CentOS 7.6 and PF. > > > > > > CentOS 7.x issues interface names like em1, em2, p2p1, p2p2 etc., > > > instead of the old style eth0, eth1... > > > > > > Will PF still work OK, if I change this to the old style (See link > below)? > > > > > > > https://sites.google.com/site/syscookbook/rhel/rhel-network-interface-rename-rhel7 > > Yes it will work. > > > > > > I feel more comfortable using the old interface naming convention and > > > the above procedure works well:-) > > > > > Regards > > > > Fabrice > > > > > > > > > > > > > > > > > > > > > > On Mon, 18 Feb 2019 at 12:09, Durand fabrice via PacketFence-users > > > <packetfence-users@lists.sourceforge.net> wrote: > > >> Hello Tony, > > >> > > >> you can set the vlan as inline in PacketFence. > > >> > > >> What i would do in this case is the following: > > >> > > >> - Create on pf all the VLAN's an inline interface, per example > eth1.10, > > >> eth1.11, eth1.12 .... (the vlan's you return when authenticated) > > >> > > >> - Set these vlan's id on the switch config (PacketFence side). > > >> > > >> That's it. > > >> > > >> The only issue you will have is when you unreg a device then it will > > >> stay on the inline vlan but hit the portal on the inline interface. > > >> > > >> If the device reconnect then it will go on the reg vlan. > > >> > > >> Regards > > >> > > >> Fabrice > > >> > > >> > > >> > > >> Le 19-02-17 à 19 h 35, Tony W via PacketFence-users a écrit : > > >>> Hi there, > > >>> > > >>> Trying to work out how to get PF to work as NAT/Firewall to the > > >>> internet whilst doing Radius and VLAN enforcement. > > >>> > > >>> Is this possible? Reading the documentation, it appears that the > > >>> current version will work in hybrid mode > > >>> (A combination of both) but seems to be for "flat" networks on > > >>> switches that can not be managed. > > >>> > > >>> I run a wireless network controller, where visitors connect to an > SSID > > >>> (Assigned to a specific VLAN). This VLAN has no > > >>> Internet access. > > >>> Authentication is 802.1x. Once authenticated, visitor is directed to > > >>> one of a number of predetermined VLAN's by PF. > > >>> Each of the VLAN's shall have Internet access through the same PF > box. > > >>> PF tells Ruckus to put the visitor in the > > >>> assigned VLAn. DHCP is used on the initial connection and each of the > > >>> VLAN's shall have their own DHCP scope. > > >>> > > >>> I have done this before using FreeRadius with DaloRadius and a Ruckus > > >>> controller, configured manually on CentOS 7.3 > > >>> with Firewall/NAT. That solution is lacking some of the nice extra > > >>> stuff integrated in PF. > > >>> > > >>> Whilst not expecting someone to give me the whole solution, I am > > >>> looking for some pointers and confirmation that > > >>> PF is suitable for what I want to do. > > >>> > > >>> Thanks in advance > > >>> > > >>> Tony > > >>> > > >>> > > >>> _______________________________________________ > > >>> PacketFence-users mailing list > > >>> PacketFence-users@lists.sourceforge.net > > >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > >> > > >> _______________________________________________ > > >> PacketFence-users mailing list > > >> PacketFence-users@lists.sourceforge.net > > >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > _______________________________________________ > > > PacketFence-users mailing list > > > PacketFence-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > -- > > Fabrice Durand > > fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > > > > > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
